The worm code only resides in memory, and there are no file counterparts. Because of this, antivirus scanners that do not support memory scanning will not be able to detect the code.
The code can be unleashed by an attacker through a program that can initially send out the packets to potential vulnerable servers.
Buffer Overflow in SQL Server 2000
The worm exploits the buffer overflow vulnerability in SQL Server 2000 Resolution Service. It uses this to arbitrarily execute its code on affected servers. Vulnerable machines include Microsoft SQL Server 2000 installations without Service Pack 3 patched.
UDP port 1434, the SQL Server Resolution Service port, provides a way for clients to query for the appropriate network endpoints to use for a particular SQL Server instance.
For additional information on the vulnerability that this malware exploits, refer to this article: Customer Update on the "Slammer" Virus Attack.
When executed, the code enters an infinite loop wherein it randomly generates IP addresses and sends itself to them in packets containing the code. It uses socket commands to connect and send the packets to UDP port 1434 of the IP addresses.
If a vulnerable SQL Server receives this packet, the code may be arbitrarily executed. This furthers the propagation of the worm code.
Denial of Service
When the malware continuously sends out a large number of packets to the vulnerable SQL Server, it causes a Denial of Service which results in slowdown, or even failure, in the affected network. This happens when the randomly-generated IP address corresponds to the broadcast addresses (e.g., a.b.c.0 or a.b.c.255), resulting to all hosts on the network to receive the worm�s packet. This enables the worm to rapidly spread over the network.
The worm code contains these noticeable text strings, when re-arranged:
The packet containing the code can be unleashed by an attacker through a program that can initially send out the packets to potential vulnerable systems.
Unpatched machines installed with the Microsoft SQL Server 2000 Desktop Engine (MSDE) are also vulnerable to this malware. MSDE is based on core SQL Server technology and runs on the following platforms:
- Windows 98
- Windows ME
- Windows NT 4.0
- Windows 2000 Professional