1. /
  2. Security Response/
  3. W32.SQLExp.Worm

W32.SQLExp.Worm

Risk Level 2: Low

Discovered:
January 24, 2003
Updated:
February 13, 2007 11:42:35 AM
Also Known As:
SQL Slammer Worm [ISS], DDOS.SQLP1434.A [Trend], W32/SQLSlammer [McAfee], Slammer [F-Secure], Sapphire [eEye], W32/SQLSlam-A [Sophos]
Type:
Worm
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
CVE References:
CAN-2002-0649

W32.SQLExp.Worm is a worm that targets the systems running Microsoft SQL Server 2000, as well as Microsoft Desktop Engine (MSDE) 2000. The worm sends 376 bytes to UDP port 1434, the SQL Server Resolution Service Port.

The worm has the unintended payload of performing a Denial of Service attack due to the large number of packets it sends.

Symantec Security Response strongly recommends that all the users of either Microsoft SQL Server 2000 or MSDE 2000 audit their computers for the vulnerabilities that are referred to in Microsoft Security Bulletin MS02-039 and Microsoft Security Bulletin MS02-061.

Symantec Security Response also recommends that you:
  • Configure perimeter devices to block the ingress UDP traffic to port 1434 from untrusted hosts.
  • Block the egress UDP traffic from your network to the destination port 1434.


For more information on the SQL outbreak, refer to the Web cast at: https://enterprisesecurity.symantec.com/Content/webcastarchive.cfm?SSL=YES&EID=0&webcastID=45.


Removal Tool
Symantec has provided a tool to remove the infections of W32.SQLexp.Worm. Click here to obtain the tool. Try this tool first, as it is the easiest way to remove this threat. Because the worm resides in memory only and is not written to disk, the virus definitions do not detect this threat. Symantec Security Response recommends that you follow the measures described in this document to deal with this threat.

Please refer to the Technical Details section below for information on how to configure the Symantec products to detect this threat.




http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0649

http://www.cert.org/advisories/CA-2002-22.html

http://online.securityfocus.com/bid/5310

http://online.securityfocus.com/bid/5311

http://www.microsoft.com/technet/security/bulletin/ms02-039.asp

http://www.microsoft.com/technet/security/bulletin/MS02-061.asp

http://www.cisco.com/warp/public/707/cisco-sa-20030126-ms02-061.shtml

Antivirus Protection Dates

  • Initial Rapid Release version January 25, 2003
  • Latest Rapid Release version November 16, 2014 revision 037
  • Initial Daily Certified version January 25, 2003
  • Latest Daily Certified version November 17, 2014 revision 001
  • Initial Weekly Certified release date pending
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: More than 1000
  • Number of Sites: More than 10
  • Geographical Distribution: High
  • Threat Containment: Easy
  • Removal: Easy

Damage

  • Damage Level: Low

Distribution

  • Distribution Level: Medium
Writeup By: Douglas Knowles

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver