The following has been derived from information provided by Network Associates, Symantec and Trend.

Virus Characteristics

This worm targets Microsoft SQL servers. It probes the Internet for SQL servers on port 1433 and compromises those servers using the default SQL administrator account "SA". For Information on securing your SQL server see:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q313418

It copies the following files to the hard drive:

\System32\Drivers\Services.exe
This is a Port scanner that the worm will use to find vulnerable computers.

\System32\Sqlexec.js
This is a JavaScript file that is used by the worm to execute command line functions on the remote computer.

\System32\Clemail.exe
This is a command-line email utility. The worm uses this program to send the IP address and SQL information in email to the virus writer.

\System32\Sqlprocess.js
This javascript calls SQLDIR.JS, IPCONFIG /ALL, and PWDUMP redirecting the output of each tool to SEND.TXT. The contents of SEND.TXT are placed into the body of an email message and sent to the address: xltd@postone.com. It will also search for vulnerable computers on networks whose IP addresses begin with 10, 127, 172, or 192. When it finds a vulnerable computer, it execute the file \system32\sqlinstall.bat which installs the worm to the remote computer.

\System32\Sqlinstall.bat
This .bat file will activate the guest user account, set the guest user account password to a set of 4 random characters, and add the guest account to the Administrators and Domain Admins groups. It then searches for the presence of \system32\cscript.exe.

If found it will then check if the worm has already copied the file, %SystemRoot%\system32\regedt32.exe to %SystemRoot%\regedt32.exe. If it has, it will exit.

Otherwise, it will copy the following files to the default system share of the remote computer:

\System32\Drivers\Services.Exe
\System32\Sqlexec.Js
\System32\Clemail.Exe
\System32\Sqlprocess.Js
\System32\Sqlinstall.Bat
\System32\Sqldir.Js
\System32\Run.Js
\System32\Timer.Dll
\System32\Samdump.Dll
\System32\Pwdump2.Exe

After copying these files it changes the remote SQL administrator password to a set of 4 random characters. Once this is completed it will trigger the remote computer to execute the file Sqlprocess.js.

\System32\Sqldir.js
This is a JavaScript file that the worm uses to collect Table and Row information from the SQL server.

\System32\Run.js
This is a JavaScript file that the worm uses to trigger the remote computers to execute the worm.

\System32\Timer.dll
This is a dll that the worm registers on the infected system. This is a simple Timer program.

\System32\Samdump.dll
This is a dll that the worm copies to infected machines. It does not appear to perform malicous actions

\System32\Pwdump2.exe
This is a file that the worm uses to attempt to steal the infected computers password.


Payload

Deletes files.
Sends compromised server IP address to the virus writer.
Changes the SQL administrator password to a set of 4 random characters.


Preventative Measures

Secure your SQL Server:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q313418
Block the default MS SQL Server port of 1433 wherever possible


Fixes Available

Network Associates: Minimum DAT: 4204 Release Date: 05/22/2002

Symantec:
Virus Definitions (Intelligent Updater): May 21, 2002
Virus Definitions (LiveUpdate): May 22, 2002

Trend: Pattern File: 288 (Beta) May 20, 2002