Table of Contents

Introduction

You may have heard of the Smominru botnet that compromised nearly 90,000 windows computers/servers using EternalBlue exploit and performing brute force attacks on MS-SQL, RDP, Telnet services.

We managed to come across one of these cases, and I would like to share with you how to remove the malware that is restored in the system every time.

The malware itself is stored in the database and because of this antiviruses cannot detect it.

I have already sent the malicious code that we managed to export to some antivirus laboratories, including Microsoft

(Submitted: Aug 11, 2021 9:13:40 PM)

Solution:

1) You need to back up your databases first.

2) You need to disable all unknown accounts on the database server (i.e. ps, ss,syn, etc). If in doubt, check the date on which the accounts were created. 

Note: Leave at least one account with administrator rights enabled.

3) Please check if the following procedure exists:

USE [master]
GO
DROP PROCEDURE [dbo].[sqlStoredProcedure]


USE [msdb]
GO
DROP PROCEDURE [dbo].[sqlload]

And the following assembly:

MSSqlInterface

4) Please check if the following malicious jobs exists:

Bat.exe
dbdotas
dbdotas2
dbdotas3
ftpbacks.exe
pdoors.exe
sqlrca

Note: if there are other unknown jobs, then check the date of its creation. 

5) If they are present and you are sure that they are malicious, then run the following T-SQL script to remove them:

USE [master]
GO
DROP PROCEDURE [dbo].[sqlStoredProcedure]
GO
DROP ASSEMBLY [MSSqlInterface]
GO


USE [msdb]
GO
DROP PROCEDURE [dbo].[sqlload]
GO
DROP ASSEMBLY [MSSqlInterface]
GO

USE [msdb]
GO
EXEC sp_delete_job @job_name = 'Bat.exe';
EXEC sp_delete_job @job_name = 'dbdotas';
EXEC sp_delete_job @job_name = 'dbdotas2';
EXEC sp_delete_job @job_name = 'dbdotas3';
EXEC sp_delete_job @job_name = 'ftpbacks.exe';
EXEC sp_delete_job @job_name = 'pdoors.exe';
EXEC sp_delete_job @job_name = 'sqlrca';

6) In some cases, it is also necessary to reload the SQL Server service to close all processes in the memory.
7) Make sure you have installed the updates according to this article: MS16-136CVE-2020-0618 and CVE-2019-1068
8) Also, don't forget to change all passwords.