CBlade worm infects Microsoft SQL Servers

cblade-worm (7610)

High Risk

Description:

The CBlade SQL Worm was designed propagate by exploiting a common misconfiguration in the Microsoft SQL Server Database. The worm then installs a DDoS (Distributed Denial of Service) component that uses the IRC (Internet Relay Chat) network to communicate with the worm author(s).

The CBlade worm includes two main components:

• MS-SQL server scanning and infection
• IRC component for remote control of infected systems as DDoS zombies

The worm scans the Internet for potential victims, and attempts to brute force connections to the "master" database with the "sa" account (the most privileged account on a Microsoft SQL Server). Any Microsoft SQL installation may be vulnerable if it is installed with a missing or weak "sa" account password. Once a target has been discovered, the worm uses the MS-SQL stored procedure "xp_cmdshell" to execute arbitrary commands. The CBlade worm uses the procedure to initiate a FTP connection to an external host to download and run the worm executable.

Platforms Affected:

• Microsoft, SQL Server 6.0
• Microsoft, SQL Server 6.5
• Microsoft, SQL Server 7.0
• Microsoft, Windows 2000
• Microsoft, Windows NT 4.0
• Microsoft, Windows XP

Remedy:

The worm infects the victim computer by adding itself to the system's registry, so that the worm will be executed when the system is rebooted. It creates a key under the name "TaskReg", in the following location in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

The value of this entry is the path of the worm executable, where the filename of the worm executable is typically "DNSSERVICE.EXE".

To remove the worm:

1. Locate the path and the name of the worm executable from the registry.
2. Terminate the worm process.
3. Delete the registry entry.
4. Locate the worm executable, and delete it from the file system.

Consequences:

Gain Access

References:

• SecuriTeam Mailing List, Windows NT focus 21 Aug 2000, Microsoft releases safeguard guide for the MS SQL blank 'sa' vulnerability at http://www.securiteam.com/windowsntfocus/5EP0O0K2AS.html.
• Symantec Security Response, W32.Cblade.Worm at http://www.sarc.com/avcenter/venc/data/w32.cblade.worm.html.
• ZDNet News Web site, Hybrid DDoS worm strikes MS servers at http://www.zdnet.com/zdnn/stories/news/0,4586,2826892,00.html?chkpt=zdnnp1tp02.

Reported:

Nov 21, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page