Written in JavaScript, Spida actively scans port 1433 for access into systems with blank system administrator accounts.
According to the SANS Institute, a computer research organization, system administrators began noticing an upsurge in scans on port 1433, which is used by Microsoft's SQL servers, on Monday, May 20, 2002. Within the first 12 hours, the number of scanned and infected systems rose sharply to more than 1,600, and those systems are now scanning for others on the Internet.
In addition to port scanning, the worm collects and e-mails passwords from the infected servers. Users of Microsoft Windows 95, 98, or Me are not affected by the Spida worm.
How it works
Spida includes a UPX-compressed version of FScan and a Trojan horse that actively scans port 1433 on randomly generated IP addresses. It looks for other SQL servers on the Internet running with the default settings including blank system administrator passwords. Once it's found a system, Spida infects it and continues scanning for other vulnerable SQL servers. On the infected system, Spida collects passwords and e-mails them back to the presumed creator of this worm.
According to SANS, the password dump tool works only if Syskey is not enabled, which is the default condition for NT 4.0. Syskey is enabled by default in Windows 2000 and XP. According to various news organizations, the e-mail address used by Spida is now overloaded.
Prevention
SANS recommends that system administrators of SQL servers take the following actions:
- Block traffic to port 1433 TCP.
- Install the Microsoft patch included with MS02-020, then set a strong (greater than 8 character) SA password.
- Block all e-mail to ixltd@postone.com (currently not accepting new e-mail).
- Enable Syskey.
Removal
A few antivirus software companies have updated their sites to include this worm. For more information, see McAfee, Symantec, or Trend Micro.
