The following has been derived from information provided by F-Secure, NAI, Symantec, and Trend.

Virus Characteristics

W32.Cblade.Worm uses a Microsoft SQL Server exploit to propogate. Default installations of MS SQL 7 contain an empty password for the Administrator account.

The worm scans the Internet for vulnerable MS SQL servers listening on port 1433. When a vulnerable system is found, it will send a malicious packet that contains commands to run an xp_cmdshell. The xp_cmdshell can be used to run DOS commands directly from the SQL server. The worm will then connect to a compromised ftp site (philamuseum.netreach.net) at 207.29.192.160 and log in as USER: ftp and PASSWORD: foo.com. (The components on the ftp site have been removed). It will then use a get command to download the file Dnsservice.exe.

When the Dnsservice.exe is executed, it creates a registry entry that will enable it to run on boot up:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run TaskReg = <path and filename of worm>.

It then performs a DNS lookup for: bots.kujikiri.net. The DNS server will respond with the following six IRC servers:

65.161.40.1
198.31.213.184
64.154.61.232
205.188.253.223
205.188.253.230
209.116.7.97

The worm will then randomly select one of the IRC servers and connect to it on TCP port 6669.Once a connection is made, the SQL server listens and waits for commands from the attacker.


Preventative Measures

Change the default password for the Administrator account in Microsoft SQL.


Fixes Available

Network Associates:4173 dat to be released 11/28/01
Symantec:11/24/01
Trend:Pattern file 170 or 970