SQLServer / Injector.VGR

[vbcrayon 0]

"A threat (MSIL / Injector.VGR) was found in a file that the SQL Server Windows NT - 64 Bit application tried to access. The file was deleted".
I get this alert everytime. I scanned the system could not find any virus. What should I do?

[Marcos 4,693]

Please provide logs collected with ESET Log Collector for a start.

[vbcrayon 0]

1 hour ago, Marcos said:

Please provide logs collected with ESET Log Collector for a start.

Ok.
efsw_logs.zip:
 

Snipped: URL with logs removed.

[vbcrayon 0]

My problem looks a bit like this one:
https://forum.eset.com/topic/28522-dotnet-msil-injectorvgr/

[vbcrayon 0]

 

I updated the SQL to version CU 17 and changed the SA password, but the warnings still persist. For the warning to appear, I just restart the service.

[vbcrayon 0]

😭 

[itman 1,538]

Refer to this forum thread: https://forum.eset.com/topic/28522-dotnet-msil-injectorvgr/ . Looks like you have already reviewed it. As I posted there, note the following:

Quote

However, I would check the below  locations for presence of the files listed;

%SystemDrive% \ USERS \ xxxxx \ APPDATA \ ROAMING \ MICROSOFT \ WINDOWS \ START MENU \ PROGRAMS \ STARTUP \ MICROSOFT NET_FRAMEWORK.BAT
%SystemDrive% \ USERS \ xxxxx \ APPDATA \ ROAMING \ MICROSOFT \ GOOGLE \ CHROMEEXTENSIONS \ ADS \ HONEYADS \ EXUPD.EXE

First, make sure that LiveGrid protection is enabled. If this is the same malware, Eset should be able to detect and remove it.

It is possible this is a new variant and Eset's existing sig. is not detecting it. Also, the other instance of this was not specifically related to SQL Serrver Win NT.

Edited September 25, 2022 by itman

[Marcos 4,693]

Since the threat was created by sqlservr.exe, it's likely that there's a malicoous procedure stored in a database. I'd recommend dumping stored procedures and check if there is a suspicious one.

[vbcrayon 0]

Hi.

 

My dump stored procedures

script.txt