AUSCERT External Security Bulletin Redistribution

         ESB-2002.239 -- Internet Security Systems Security Alert
                   Microsoft SQL Spida Worm Propagation
                                23 May 2002


        AusCERT Security Bulletin Summary

Product:                Microsoft SQL Server
Vendor:                 Microsoft
Impact:                 Denial of Service
                        Reduced Security
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------


Internet Security Systems Security Alert
May 21, 2002

Microsoft SQL Spida Worm Propagation


ISS X-Force has learned of a worm that is spreading via Microsoft SQL
servers. The Spida worm is responsible for large amounts of Internet
traffic as well as millions of TCP/IP probes at the time of this alert’s
publication. This worm attempts to locate and login to MS/SQL servers
with the "sa" account and a blank password. Once a vulnerable computer
is found, the worm will infect that target, send its configuration and
password information to an external host, and begin scanning for new


Although the Spida worm is not destructive to the infected host, it may
generate a damaging level of network traffic when it scans for
additional targets. The scanner bundled with the worm is multi-threaded
and is capable of scanning with 100 threads. A large amount of network
traffic is created by the worm, which scans both internal and external
IP addresses for vulnerable servers.


The Spida worm propagates via Microsoft SQL installations with
administrator accounts that have no passwords defined. Although
Microsoft recommends that the "sa" account be set upon installation,
many servers are not properly secured. If the worm finds a vulnerable
server, it will attempt to execute its startup script by running the
"xp_cmdshell" function, which is the SQL call used to execute system
commands within SQL queries.

The main function of the Spida worm is to export an infected server’s
SAM password database and forward information about its network and
database configuration.

The worm installs all of its files into the Windowssystem32 directory
except for services.exe, which is installed into the
Windowssystem32drivers directory. Each of these files has a distinct
function which is outlined below:

sqlprocess.js - This is the worm’s main payload. It holds IP address
arrays which are later used in the services.exe scanner. It executes
"ipconfig /all" and appends this information to send.txt. This script
then runs sqldir.js and appends all of the server’s database information
to send.txt. It then executes pwdump2 and appends the password hashes to
send.txt, then runs clemail.exe and mails send.txt to ixltd@postone.com.
After the email is sent, send.txt is destroyed and services.exe is run
to scan for other vulnerable servers. This information is appended to
rdata.txt, which the worm uses to attempt to propagate with the username
"sa" and a null password. The sqlprocess.js file sets the registry value
dbmssocn to configure the SQL server to use the Winsock TCP/IP library
instead of the default DBNETLIB library:
It also turns on the NetDDE service, allowing SQL to use the DDE

sqlexec.js - This is a script used by sqlprocess.js to execute
xp_cmdshell. sqlinstall.bat is run within this instance of xp_cmdshell.

sqldir.js - Collects a list of databases on the infected system. Later,
sqlprocess.js writes this information in send.txt to send to

run.js - This script passes time information to and from timer.dll.

sqlinstall.bat - Installs the worm then hides the files.

clemail.exe - Simple mail program used to email out the send.txt file.

services.exe - Scanner used by the worm to scan for other SQL servers on
port 1433. This information is appended into the rdata.txt file. This
file is multi-threaded and scans internal IP addresses before performing
an external IP address sweep.

pwdump2.exe - Injects samdump.dll into lsass.exe (a Windows program that
performs the authentication of log-on credentials) in order to grab raw
NTpassword hashes.

samdump.dll - Uses the same API that msv1_0.dll uses to capture Windows
password hashes.

timer.dll - A counter used for installation and other functionality of
the worm.


Microsoft SQL Server customers should refer to the following address for
information and securing Microsoft SQL Server:

ISS Database Scanner product implemented a check for a blank
administrator password in December of 1998. Database Scanner customers
are encouraged to enable this check if they have not done so. For more
information, refer to:

ISS RealSecure Network Sensor customers may use the following connection
event to detect access attempts to the SQL Server port. Follow the
instructions below to apply the connection event to your policy. This
connection event will detect legitimate connection attempts to MS/SQL
1. Choose a policy you want to use, and click Customize.
2. Select the Connection Events tab.
3. Click Add on the right hand side of the dialog box.
4. Create a Connection Event.
5. Type in a name of the event, such as "MS/SQL Port Probe".
6. In the Response field for the event, select the responses you want to
In the Protocol field, select TCP.
In the Dest Port/Type field click the pull down box and create an entry
for TCP port 1433:
a. Click Add.
b. Select TCP Protocol.
c .Name the service "MS/SQL Port Probe".
d. Use 1433 for the port number.
e. Click OK.
f. Select the entry just created.
7. Save changes and close the window.
8. Click Apply to Sensor or Apply to Engine depending on the version of

To create a user-defined event RealSecure Server Sensor:
1. Open the desired policy.
2. Expand the Connections tree on the Protect view.
3. Expand the User Defined Suspect Connections branch.
4. Click Add to add a new User Defined Suspect Connections event
5. Name the event, SQL_Connection.
6. Select the desired responses under the response column.
7. Enter "1433" under the port column.
8. Save the Policy and apply it to the sensor.

ISS BlackICE customers should monitor and/or enable the "SQL Port Probe"
event. This event will detect probes by the Spida worm.

ISS X-Force will provide assessment support for this vulnerability in an
upcoming X-Press Update for Internet Scanner.


About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East.

Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved

Permission is hereby granted for the electronic redistribution of this
document. It is not to be edited or altered in any way without the
express written consent of the Internet Security Systems X-Force. If you
wish to reprint the whole or any part of this document in any other
medium excluding electronic media, please email xforce@iss.net for

Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and PGP.com's key
server, as well as at http://www.iss.net/security_center/sensitive.php

Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.

Version: 2.6.2


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key