SQL.DLL trojan?
Results 1 to 6 of 6

Thread: SQL.DLL trojan?

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883

    SQL.DLL trojan?

    Here's one that I haven't seen before. Anyone have any info on this?

    Symantec Corp AV 8.1 picks up C:\WINDOWS\SYSTEM32\SQL.DLL as a trojan backdoor.

    I've scanned the machine and peaked around but nothing seems to yield any real clues. The other interesting thing is that the AV sig updates no longer work.

    Before I get myself knee deep in analysis, I figured I try to take a shortcut and see if anyone knows what this is. After all, it is the weekend.

    Thanks

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    King Arana: Super Moderator
    Join Date
    Oct 2002
    Posts
    4,055
    Hrmm, sound's awfully familiar. There are many of those WINDOWS\SYSTEM32\ file name's that get turned around (the file extension, name, etc) to be made into trojan horse application's/backdoor's. This one doesn't sound all to familiar and isn't present on any of my machine's.

    TheHorse: Are you running any MYSQL service's or the like on a webserver or whatnot? That wouldn't answer it completely though, would it? Hrmm.. Ahh it's too early in the morning for me to be thinking . Anyway's, my guess is that it's your common "\System32" trojan if ya catch me.
    Space For Rent.. =]

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Nah, no SQL anything. This is just a standard workstation used for e-mail and word processing.

    I've gone through the basic motions on this thing (process exploring, etc.) but I guess I'll have to do some real digging. I've only seen one reference to this on a French website.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Senior Member
    Join Date
    Feb 2004
    Posts
    202
    It's a common .dll for the new nasty CWS to call itself. You may want to run a HijackThis log and see what pops up. Are you experiencing any redirects by any chance?

  5. #5
    AntiOnline n00b
    Join Date
    Feb 2004
    Posts
    665
    hi

    A while ago my AVG caught a similar file and it called it BackDoor Agent.B something like that ........

    I found this info on how to remove it ....the last post of this thread might be of interest to you

    http://www.computing.net/security/ww...rum/10974.html

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Thanks for all the help gang. After looking a little deeper, (which I didn't want to do on a Saturday) I found that the little bitch is searchx.cc. I manually removed the ****er and all is well in Oz.


    EDIT: I got 3 PMs about this same issue. I had to use Killbox.exe to dump sql.dll at bootup because it just would not shake loose any other way. You can get the proggie from here:

    http://www.downloads.subrantum.org/KillBox.zip

    I also dumped all references to sql.dll from the registry after the above step. This took me about 3 hours to sort out but hey, I can't walk away from things like this.



    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •