Symantec Singapore
 global sites
products
purchase
service and support
security updates
downloads
about symantec
search
feedback


© 1995-2006 Symantec Corporation.
All rights reserved.
Legal Notices
Privacy Policy
press centre

W32.SQLExp.Worm

SINGAPORE -- January 27, 2002

Name: W32.SQLExp.Worm SQL Slammer Worm [ISS], DDOS.SQLP1434.A [Trend], W32/SQLSlammer [McAfee]
Type: Worm
Infection Length: 376 bytes
Systems Affected: Windows NT, Windows 2000, Windows XP
Systems Not Affected: Windows 3.x, Windows 95, Windows 98, Windows Me, Microsoft IIS, Macintosh, OS/2, UNIX, Linux
CVE References: CAN-2002-0649
SQL Worm - Level 3

Background:
Symantec Security Response's DeepSight TMS Team traced an increase in traffic directed against port 1434, which is associated with the Microsoft SQL Server Monitor.

Initial reports indicate the following vulnerabilities to be associated with the attack (both vulnerabilities were reported to TMS customers during July 2002): Microsoft SQL Server 2000 Resolution Service Heap Overflow Vulnerability http://online.securityfocus.com/bid/5310.

Microsoft SQL Server 2000 Resolution Service Stack Overflow Vulnerability http://online.securityfocus.com/bid/5311

Initial evidence also indicates that this traffic is related to a new worm that is compromising vulnerable SQL servers. Within the last two hours the TMS team tracked more than 20,000 unique systems originating activity -- up from zero. There are also indications that this worm creates DDoS activity as a result of the traffic created by the worm as it tried to propagate.

The Symantec Security Response team is currently analyzing the packet to determine worm activity.

Additional Background:
Symantec Security Response has determined that the SQL Worm is similar to CodeRed in that the worm associated with the new threat is only resident in memory -- there are no files associated with it.

The SQL worm is a significant threat; however, Symantec Security Response believes activity will not rise to the level of CodeRed since the SQL worm targets only SQL servers.

CodeRed was a much bigger threat since it targeted IIS servers, which had a much larger customer base. IIS servers are included in many Windows Operating Systems.

The SQL server is a SQL database server that needs to be manually installed. Thus the SQL server will on be on intended systems only, unlike the IIS servers which are installed as a default.

W32.SQLExp.Worm is a worm that targets systems running Microsoft SQL Server 2000, as well as Microsoft Desktop Engine (MSDE) 2000. The worm sends 376 bytes to UDP port 1434, the SQL Server Resolution Service Port. Beginning at 5:31am GMT, we started to see a significant increase in the unique number of source IPs scanning for UDP port 1434. Symantec Security Response highly recommends all users of either Microsoft SQL Server 2000 or MSDE 2000 audit their machines for the vulnerabilities referred to in the Microsoft advisory at

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp., and install the patch referred to by

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-061.asp.

Symantec Security Response also recommends configuring perimeter devices to block UDP traffic to port 1434 from untrusted hosts.

Symantec Security Response is currently developing a removal tool for W32.SQLExp.Worm. Because the worm is only resident in memory, and is not written to disk, this threat is not detectable using virus definitions. Customers are recommended to follow the measures described above in order to deal with this threat.

The worm has the unintended payload of performing a Denial of Service due to the large number of packets it sends out.

Recommendations
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.

If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.

Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.

Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.

Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.

Isolate infected computers quickly to prevent further compromising your organization.

Perform a forensic analysis and restore the computers using trusted media.

Train employees not to open attachments unless they are expecting them.

Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.