Aliases of W32/SQLSlammer.worm include Sapphire (F-Secure), Slammer (F-Secure), New SQL Worm (F-Secure), Worm.SQL.Helkern (F-Secure, AVP), Win32/SQLSlammer.Worm (Computer Associates), WORM_SQLP1434.A (Trend Micro), DDOS_SQLP1434.A (Trend Micro), W32.SQLExp.Worm (Symantec), W32/SQL.Slammer (Central Command), SQL.Slammer (Central Command), Worm.SQL.Slammer (Hauri), W32/SQLSlammer (AVG), Win32.SQLSlammer (Aladdin), SQLSlammer (Panda Software) and W32/SQLSlam-A (Sophos).
W32/SQLSlammer.worm is a worm that is propagating widely across the Internet. It exploits a known vulnerability in Microsoft SQL Server 2000. The worm does not carry a malicious payload, but it does create a large amount of network traffic that could cause a denial of service (DoS) condition, not only in the victim SQL server but also in the network hosting the server.
One characteristic of this worm that is especially noteworthy is that it is memory-resident. The positive aspect of this characteristic is that a user of an infected system can remove the worm simply by rebooting the server. However, a system can easily become reinfected if not patched. The negative aspect is that many antivirus applications fail to detect memory-resident malicious code. As a result, some vendors probably will not issue updates to detect this worm.
The vulnerability is in the SQL Server Resolution Service. An attacker can send a malformed packet to the SQL Server to cause a stack overflow or a DoS condition. Detailed information concerning these vulnerabilities and the patch are available in Alert 4256.
Some sources indicated that the worm could experience a surge in activity during the morning of Monday, January 27, 2003. Increased computer and network activity associated with the beginning of the work week could create conditions favorable to a new outbreak. However, most of the activity will be generated by workstations, not servers. Administrators should review contingency plans in case another large-scale outbreak does occur.
Virus definition updates are unavailable, but workarounds, safeguards and scanning utilities are available to prevent an exploit and restore a system.
does not contain a destructive payload, but it does have an aggressive propagation routine that can significantly impact network performance.
Unpatched systems running SQL Server 2000 prior to Service Pack 3 and the Microsoft Desktop Engine (MSDE) 2000 are vulnerable.
The worm may start the process sqlservr, which could consume 100 percent of CPU resources.
The worm exploits a known vulnerability in the Microsoft SQL Server 2000 Server Resolution service. SQL servers running with Service Pack 2 and prior are vulnerable; the vulnerability was corrected in Service Pack 3.
The worm loads the files kernel32.dll and ws2_32.dll and uses the Windows API function GetTickCount to generate random target IP addresses. The worm sends itself to those addresses. It sends multicast packets, which causes all 254 addresses on a subnet to receive only one send command. This allows the worm to spread very quickly. This technique does not produce any bias towards local networks, which might otherwise help to contain the propagation of the worm. The packets contain the following strings:
The worm exists only in the memory of the infected machine, and it can be removed by rebooting the machine.
Microsoft has released a number of patches to correct SQL Server vulnerabilities. The sequence in which these patches have been installed is important to determine which patch to install next. If administrators have not installed any of the patches, they are advised to install the latest cumulative patch found in MS02-061. Customers who have applied only the cumulative patch released in the original MS02-061 should apply the supplementary patch issued in Microsoft Knowledge Base article 317748. Administrators who have installed the original cumulative patch and the supplementary patch on their systems are fully patched and do not need to take further action.
This worm is memory-resident and does not create any files or make registry modifications to the infected system. The design of this worm is to propagate across SQL servers. This worm is spreading quickly and has significantly affected the network through its propagation method. Administrators are advised to install the patch provided in Alert 4256 and reboot the SQL Server.
The vulnerability the W32.SQLSlammer.worm exploits also affects Microsoft Desktop Engine (MSDE) 2000. There have been no reports that systems running MSDE 2000 have been exploited by the worm, but the worm may be able to infect these systems. In addition, there are several applications that may silently install Microsoft SQL Server or MSDE 2000. Users can determine if they are running SQL Server or MSDE by looking for an icon in the System Tray that looks like a computer with a white circle and a green "Play" button on it.
A reference to the Chinese hacker group Honker in the code of the worm has led to speculation that the Chinese group is responsible for W32.SQLSlammer.worm. The worm reportedly started its propagation routine in Hong Kong and quickly spread to South Korea, lending some credibility to the speculation.
Administrators are encouraged to install the available Microsoft patches or SQL Server 2000 Service Pack 3.
Blocking packets on port 1434 can limit propagation; however, completely blocking the ports may prevent the system from functioning properly if the ports are needed to send or receive information. Support issues could occur because port 1434 provides name resolution for the SQL server.
The Aladdin Virus Alert for Win32.SQLSlammer is available at the following link: Virus Alert
The AVG Virus Description for W32/SQLSlammer is available at the following link: Virus Description
The AVP Virus Alert for Worm.SQL.Helkern is available at the following link: Virus Alert
The Central Command Virus Answer for W32/SQL.Slammer is available at the following link: Virus Answer
The Computer Associates Virus Threat and cleaning utility for Win32/SQLSlammer.Worm are available at the following link: Computer Associates
The F-Secure Virus Description for Slammer is available at the following link: Virus Description
The Hauri Virus Desciption for Worm.SQL.Slammer is available at the following link: Virus Description
Hewlett-Packard has released a security advisory for registered users at the following link: HPSBGN0302. Hewlett-Packard recommends installing the latest Microsoft SQL Server 2000 Service Pack 3 to prevent an attack.
The McAfee Virus Description for W32/SQLSlammer.worm is available at the following link: Virus Description. The cleaning utility, stinger.exe, from McAfee to detect and clean W32/SQLSlammer.worm and other worms is available at the following link: Stinger.exe
The Panda Software Virus Description for SQLSlammer is available at the following link: Virus Description
The RAV Virus Description for Win32/SQLSlammer.worm is available at the following link: Virus Description
The Sophos Virus Analysis for W32/SQLSlam-A is available at the following link: Virus Analysis
The Symantec Security Response for W32.SQLExp.Worm is available at the following link: Security Response. The Symantec removal tool for W32.SQLExp.Worm is available at the following link: W32.SQLExp.Worm Removal Tool
The Trend Micro Virus Advisory for WORM_SQLP1434.A is available at the following link: Virus Advisory. The Trend Micro System Cleaner (TSC), as well as updated definitions for the cleaner, can be downloaded at the following link: TSC
Microsoft has released two patches that correct the vulnerability exploited by the worm. The first is MS02-039, released July 24, 2002. The second patch, MS02-061 (released October 16, 2002), supercedes the MS02-039 patch. Microsoft has re-released MS02-061. The patch now incorporates a patch released in Microsoft Knowledge Base article 317748. This patch corrects an operational issue with the original patch. The new cumulative patch also includes an installer that automatically copies SQL Server files onto the system. The previous patch required the administrator to copy these files manually. The vulnerability is also corrected in SQL Server 2000 Service Pack 3, which is available at the following direct-download link: SQL Server 2000 SP3. Microsoft has also released an alert concerning the worm at the following link: Microsoft PSS Alert
Cisco has released mitigation recommendations for the worm at the following link: Cisco