SQL.DLL trojan?

Printable View

July 24th, 2004, 04:35 PM
thehorse13

SQL.DLL trojan?

Here's one that I haven't seen before. Anyone have any info on this?

Symantec Corp AV 8.1 picks up C:\WINDOWS\SYSTEM32\SQL.DLL as a trojan backdoor.

I've scanned the machine and peaked around but nothing seems to yield any real clues. The other interesting thing is that the AV sig updates no longer work.

Before I get myself knee deep in analysis, I figured I try to take a shortcut and see if anyone knows what this is. After all, it is the weekend. ;)

Thanks

--TH13
July 24th, 2004, 04:41 PM
Spyder32

Hrmm, sound's awfully familiar. There are many of those WINDOWS\SYSTEM32\ file name's that get turned around (the file extension, name, etc) to be made into trojan horse application's/backdoor's. This one doesn't sound all to familiar and isn't present on any of my machine's.

TheHorse: Are you running any MYSQL service's or the like on a webserver or whatnot? That wouldn't answer it completely though, would it? Hrmm.. Ahh it's too early in the morning for me to be thinking :D. Anyway's, my guess is that it's your common "\System32" trojan if ya catch me.
July 24th, 2004, 04:59 PM
thehorse13

Nah, no SQL anything. This is just a standard workstation used for e-mail and word processing.

I've gone through the basic motions on this thing (process exploring, etc.) but I guess I'll have to do some real digging. I've only seen one reference to this on a French website.
July 24th, 2004, 04:59 PM
meeeeeee

It's a common .dll for the new nasty CWS to call itself. You may want to run a HijackThis log and see what pops up. Are you experiencing any redirects by any chance?
July 24th, 2004, 05:03 PM
SwordFish_13

hi

A while ago my AVG caught a similar file and it called it BackDoor Agent.B something like that ........

I found this info on how to remove it ....the last post of this thread might be of interest to you

http://www.computing.net/security/ww...rum/10974.html
July 24th, 2004, 09:11 PM
thehorse13

Thanks for all the help gang. After looking a little deeper, (which I didn't want to do on a Saturday) I found that the little bitch is searchx.cc. I manually removed the ****er and all is well in Oz.

EDIT: I got 3 PMs about this same issue. I had to use Killbox.exe to dump sql.dll at bootup because it just would not shake loose any other way. You can get the proggie from here:

http://www.downloads.subrantum.org/KillBox.zip

I also dumped all references to sql.dll from the registry after the above step. This took me about 3 hours to sort out but hey, I can't walk away from things like this.

:)

--TH13