1. Symantec/
  2. Security Response/
  3. W32.SQLExp.Worm


Risk Level 2: Low

January 24, 2003
February 13, 2007 11:42:35 AM
Also Known As:
SQL Slammer Worm [ISS], DDOS.SQLP1434.A [Trend], W32/SQLSlammer [McAfee], Slammer [F-Secure], Sapphire [eEye], W32/SQLSlam-A [Sophos]
Systems Affected:
CVE References:

W32.SQLExp.Worm is a worm that targets the systems running Microsoft SQL Server 2000, as well as Microsoft Desktop Engine (MSDE) 2000. The worm sends 376 bytes to UDP port 1434, the SQL Server Resolution Service Port.

The worm has the unintended payload of performing a Denial of Service attack due to the large number of packets it sends.

Symantec Security Response strongly recommends that all the users of either Microsoft SQL Server 2000 or MSDE 2000 audit their computers for the vulnerabilities that are referred to in Microsoft Security Bulletin MS02-039 and Microsoft Security Bulletin MS02-061.

Symantec Security Response also recommends that you:
  • Configure perimeter devices to block the ingress UDP traffic to port 1434 from untrusted hosts.
  • Block the egress UDP traffic from your network to the destination port 1434.

For more information on the SQL outbreak, refer to the Web cast at: https://enterprisesecurity.symantec.com/Content/webcastarchive.cfm?SSL=YES&EID=0&webcastID=45.

Removal Tool
Symantec has provided a tool to remove the infections of W32.SQLexp.Worm. Click here to obtain the tool. Try this tool first, as it is the easiest way to remove this threat. Because the worm resides in memory only and is not written to disk, the virus definitions do not detect this threat. Symantec Security Response recommends that you follow the measures described in this document to deal with this threat.

Please refer to the Technical Details section below for information on how to configure the Symantec products to detect this threat.








Antivirus Protection Dates

  • Initial Rapid Release version January 25, 2003
  • Latest Rapid Release version January 15, 2018 revision 020
  • Initial Daily Certified version January 25, 2003
  • Latest Daily Certified version January 15, 2018 revision 024
  • Initial Weekly Certified release date pending
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Douglas Knowles

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube