SPIDA
This worm uses several files to accomplish its task. 
services.exe - A port scanning utility 
sqlexec.exe - Establishes the SQL connection and initiates the xp_cmdshell commands. 
clemail.exe - A command line SMTP emailer tool 
sqlprocess.js - Calls SQLDIR.JS, IPCONFIG /ALL, and PWDUMP redirecting the output of each tool to SEND.TXT. The contents of SEND.TXT are placed into the body of an email message and sent to the addresses: "system@digitalspider.org", "system@hiddennet.org", "system@infinityspace.net. The worm attempts to delete the files that it created. 
sqlinstall.bat - Creates the NT account as described in the Characteristics section of this description; Copies the files mentioned here to the target system, and activates SQLPROCESS.JS on the remote system. 
sqldir.js - Tool to display database and table names 
run.js - Shell run tool 
timer.dll - Contains timer function 
samdump.dll - Used by PWDUMP2.EXE 
pwdump2.exe - Dumps the SAM database
The worm scans port 1433 on the following IP addresses, and infects systems that are vulnerable: 
IP = A.B.C.D where: 

A = random number [not equal to 10 or 127 or 172 or 192] 

B = random number 0 - 255 

C = 1-255 

D = 1-254 
%WinDir%\system32\drivers\services.exe 
%WinDir%\system32\sqlexec.exe 
%WinDir%\system32\clemail.exe 
%WinDir%\system32\sqlprocess.js 
%WinDir%\system32\sqlinstall.bat 
%WinDir%\system32\sqldir.js 
%WinDir%\system32\run.js 
%WinDir%\system32\timer.dll 
%WinDir%\system32\samdump.dll 
%WinDir%\system32\pwdump2.exe