SQL Spida Computer Virus

> Source IP: 203.125.96.38
> Time Zone: UTC
>
> Event Date Time, Destination IP, IP Protocol, Target
> Port, Issue
> Description, Source Port, Event Count
> EventRecord: 6 Dec 2004 02:10:25, 216.37.x.x, 6,
> 1433, Spida Worm, 2091, 2
> EventRecord: 29 Nov 2004 16:47:13, 195.41.x.x, 6,
> 1433, Spida Worm,
> 1434, 4

The above Server had SQL Spida worm propagation script

The SQL Spida worm propagates via Microsoft SQL Server installations with administrator accounts that have no passwords defined. This worm attempts to locate and login to Microsoft SQL servers with the "sa" account and a blank password. Once a vulnerable computer is found, the worm will infect that target, send its configuration and password information to an external host, and begin scanning for new targets. The main function of the Spida worm is to export an infected server´s SAM password database and forward information about its network and database configuration. Spida scans port 1433 on SQL Server machines, looking for a null sa password. The worm connects to SQL Server and uses the xp_cmdshell procedure to add the Windows Guest account to the local and domain administrators´ groups. Spida then propagates by copying files that it uses to attack other machines. Spida also collects various diagnostic and SAM information about the server and sends this information to a defunct email address outside of the United States.