Threat Encyclopedia

SQLSLAMMER.A

Malware type: Worm

Aliases: W32/SQLSlammer.worm (McAfee), W32.SQLExp.Worm.dump (Symantec), Worm/Sql.Slammer.dmp (Avira), W32/SQLSlam-A (Sophos),

In the wild: Yes

Destructive: Yes

Language: English

Platform: Windows

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 
Update - January 30, 2003 - The alert status of SQLSLAMMER.A has been lowered from high risk to medium risk, due to a decrease in the number of incidents reported.

This worm attacks targets systems that use Microsoft SQL Server 2000, allowing affected SQL Servers to send the malicious packet to other SQL Servers and thereby causing a slowdown, or even failure, in the affected network.

The code that executes the denial-of-service attack resides only in memory of affected Microsoft SQL servers, and there are no file counterparts. Because of this, antivirus scanners that do not support memory scanning will not be able to detect the code. There is no pattern file required.

Unpatched machines installed with the Microsoft SQL Server 2000 Desktop Engine (MSDE) are also vulnerable to this malware. MSDE is based on core SQL Server technology and runs on the following platforms:

  • Windows 98
  • Windows ME
  • Windows NT 4.0
  • Windows 2000 Professional

This worm does not drop files or send copies of itself via email which is the usual worm routine.

For additional information about this threat, see:

Description created: Jan. 25, 2003 2:45:26 AM GMT -0800
Description updated: Jan. 30, 2003 9:24:41 AM GMT -0800


TECHNICAL DETAILS


Details:

The worm code only resides in memory, and there are no file counterparts. Because of this, antivirus scanners that do not support memory scanning will not be able to detect the code.

The code can be unleashed by an attacker through a program that can initially send out the packets to potential vulnerable servers.

Buffer Overflow in SQL Server 2000

The worm exploits the buffer overflow vulnerability in SQL Server 2000 Resolution Service. It uses this to arbitrarily execute its code on affected servers. Vulnerable machines include Microsoft SQL Server 2000 installations without Service Pack 3 patched.

UDP port 1434, the SQL Server Resolution Service port, provides a way for clients to query for the appropriate network endpoints to use for a particular SQL Server instance.

For additional information on the vulnerability that this malware exploits, refer to this article: Customer Update on the "Slammer" Virus Attack.

Worm Ability

When executed, the code enters an infinite loop wherein it randomly generates IP addresses and sends itself to them in packets containing the code. It uses socket commands to connect and send the packets to UDP port 1434 of the IP addresses.

If a vulnerable SQL Server receives this packet, the code may be arbitrarily executed. This furthers the propagation of the worm code.

Denial of Service

When the malware continuously sends out a large number of packets to the vulnerable SQL Server, it causes a Denial of Service which results in slowdown, or even failure, in the affected network. This happens when the randomly-generated IP address corresponds to the broadcast addresses (e.g., a.b.c.0 or a.b.c.255), resulting to all hosts on the network to receive the worm�s packet. This enables the worm to rapidly spread over the network.

Other Details

The worm code contains these noticeable text strings, when re-arranged:

  • kernel32.dll
  • GetTickCount
  • ws2_32.dll
  • socket
  • sendto

The packet containing the code can be unleashed by an attacker through a program that can initially send out the packets to potential vulnerable systems.

Unpatched machines installed with the Microsoft SQL Server 2000 Desktop Engine (MSDE) are also vulnerable to this malware. MSDE is based on core SQL Server technology and runs on the following platforms:

  • Windows 98
  • Windows ME
  • Windows NT 4.0
  • Windows 2000 Professional

Revision History:

First pattern file version: 1.546.25
First pattern file release date: May 27, 2003

SOLUTION


Minimum scan engine version needed: 6.810

Pattern file needed: 2.700.06

Pattern release date: Jun 22, 2005


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

IMPORTANT: Users of Trend Micro PC-cillin Internet Security and Network VirusWall should check if their products have updated to CFW/NVP pattern 10140 or later.

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please refer to the Trend Micro Damage Cleanup Engine and Template.

Blocking UDP Port 1434

As a workaround, system administrators can block UDP port 1434 to prevent external attackers from exploiting this vulnerability.

Recommendation

This malware exploits known vulnerabilities in Microsoft SQL Server 2000. For patch link and more information on this vulnerability, refer to the Microsoft article, Customer Update on the "Slammer" Virus Attack.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.

Featured Stories

Connect with us on