SQL Spida is a web based java scipt script worm. Spida
was first discovered in May 2002. The worm spreads by attempting
to infect computers running Microsoft SQL Server
with a blank 'SA' password. The worm uses port 1433.
SQL Spida copies the files below part of the infection
to Windows System32 directory on the pc's that it infects:
sqlexec.js
clemail.exe
sqlprocess.js
sqlinstall.bat
sqldir.js
run.js
timer.dll
samdump.dll
pwdump2.exe
Spida sends information from the SQL database, IP &
password information to ixltd@postone.com.
The Defence Network recommends to give the SA account
for SQL Server a password. To do this go into the C:\MSSQL7\BINN
or your SQL BINN folder and issue the command:
osql -E -Q "pw_password NULL,newpassword,sa"
*newpassword is the new password for the SA account.
Finjan Surfingate active web based content inspection
will stop Spida, and other known & unknown malicious
web based active content attacks. These web based threats
include scripts, plug ins, active X, cookies.
Back
