Home / malware JS.Spida.B
First posted on 21 November 2011.
Source: BitDefenderAliases :
JS.Spida.B is also known as N/A.
Explanation :
The file "sqlprocess.js" installs itself as a service in order to run at the system restart. For that it writes the registry keys:
"HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetDDEImagePath"
with the value "cmd.exe /c start netdde && sqlprocess init" and
"HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetDDEStart"
with the value "2".
It takes in the file "send.txt" information about local machine: IP addresses, local passwords (through pwdump2.exe tool) and information from local databases (through the file sqldir.js).
It sends the information collected from the local system to the email address "ixltd @ postone.com". It generates random IP addresses and tries to connect at this addresses, through the port 1433 (SQL Server connection).
If connection succeeds, it calls the batch file "sqlinstall.bat" with the successful IP address as an argument. The file "sqlinstall.bat" install the virus on the remote SQL Server. It copies the files
sqlexec.js
clemail.exe
sqlprocess.js
sqlinstall.bat
sqldir.js
run.js
driversservices.exe
timer.dll
samdump.dll
pwdump2.exe to the remote "system32" folder.
It also modifies the user guest from the remote system. It deactivates the user guest and deletes it from the group "Local Admins" and the local group "Administrators".Last update 21 November 2011
