Office of Information Technology
Home
Calendar
Map
 Home
 Computing
Library
Search

Security: How-To Guides

Security Home Statistics Virus/AntiVirus Policies &tc How-To Guides Get Our Attention
Quick Find
SQLSlammer/SQL-Slam-A Worm (01-25-2002)

Summary
Affects:

Windows - SQL Servers
Type: Worm
Threat: Not a threat to client-only machines. The worm attacks SQL Servers, so any server/software with an unpatched SQL server embedded in it is also vulnerable. The most common incarnations are:
  • Microsoft SQL Server 2000
  • Microsoft Desktop Engine (MSDE) 2000

This worm replicates by spraying malformed UDP packets to port 1434. McAfee's report states, "The malformed packet is only 376 bytes long (which is the full worm!) and carries the following strings: "h.dllhel32hkernQhounthickChGetTf", "hws2", "Qhsockf" and "toQhsend"."
Fix:

Download and install appropriate patches, then reboot

Microsoft Data Engine (MSDE) 2000
Microsoft SQL Server 2000 and MSDE 2000 Patch (07-17-2002) Outbound Link
SQL Server 2000
Microsoft SQL Server 2000 Service Pack 3 (01-17-2003) Outbound Link
Microsoft SQL Server 2000 Service Pack 2 (10-03-2002) Outbound Link
Microsoft SQL Server 2000 and MSDE 2000 Patch (07-17-2002) Outbound Link
Note: You must have already installed SQL Server 2000 Service Pack 2 (see above) to use this patch
SQL Server 7.0
Microsoft SQL Server 7.0 Patch (10-21-2002) Outbound Link

Note: You must have already installed SQL Server 7.0 Service Pack 4 Outbound Link to use this patch

Return to Top


Official Releases

Vendor Reports: SQLSlammer

McAfee's report Outbound Link
F-Secure's description Outbound Link
TrendMicro's details Outbound Link
Sophos' s analysis Outbound Link
Microsoft's Official Announcements & Press Releases

Buffer Overruns in SQL Server 2000 Resolution Service Could Enable Code Execution (Q323875): Microsoft Security Bulletin (MS02-039) (released: 07-24-2002) Outbound Link
Elevation of Privilege in SQL Server Web Tasks (Q316333): Microsoft Security Bulletin (MS02-061) (released: 01-26-2003) Outbound Link
TechNet PSS Security Response Team Alert - New Worm: W32.Slammer (updated: 01-26-2003) Outbound Link
"Customer Update on the 'Slammer' Worm Attack" (01-26-2003) Outbound Link

Related CVE Entries

Buffer Overruns in SQL Server Resolution Service: CVE-CAN-2002-0649 (candidate:06-28-2002) Outbound Link
Denial of Service via SQL Server Resolution Service: CVE-2002-0650 (assigned:04-22-2003) Outbound Link

More Information
Related Articles
"'Slammer' worm could pick up steam Monday" Outbound Link
CNN .com (01-27-2003)
"Slammer Worm Snarls Global Net Traffic" Outbound Link
ZDNet News (01-27-2003)
FAQs
Sophos FAQ on SQLSlammer worm Outbound Link

What to Do Next

Update McAfee DAT to most recent available
Detect and clean the worm from your system with TrendMicro's System Cleaner



OIT Security: Footer
NOTE: " Outbound Link" Indicates a link to an external (non-UMBC)

Last modified: 9/24/2003
Office of Information Technology • Main Office: ECS 125 • Phone: 410-455-3838 • Email: oit@umbc.edu