SQLckHide.exe and svchost.exe appear to be scanning external IP's for vunerable SQL servers, it also kills the adsl connection
Posted on 2004-04-15
I have discovered a hidden program running on our SBS2000 server hidden in the
e:\recycler\S-1-5-21-1232352603-2125215062-1949299088 directory that has been killing our broadband
connection since 20:40 on 13/4/04. We have traced it to a svchost program that has somehow been
installed in this location,
Does anybody had this, or know of it. I have searched the usual google, yahoo, microsoft, symantec,
experts-xchange etc but no joy. This may just be because the file dates are 8/4/04 and it is too
new to appear.
The only way to see the files & folders is to change the view folder options.
A file, 500.bat contains the following lines:-
SQLckHide svchost -i IP1.txt -u 1USER.dic -p 2PASS.dic -o Results.txt -t 60
The IP1.txt contains approx 200 IP addresses
1USER.dic contains the SQL username of 'sa'
2PASS.dic contains the password dictionary, very comprehensive
And the output file Results.exe provides the matched IP address, username and SQL sa password
Another file SQLck_Logfile.txt contains all ip addresses, ports and connection results for all of
the attacked systems
The system has also created a new service call winlogon that calls the exe at
And the registry has been affected.
This has been added to our system within the last 7 days, although the server has not been
restarted for 11 days.
I have managed to remove the offending beast by changing the service to manual and restarting the
I have a zip of all the offending files prior to deleting.