Other

How can I protect my system from the Slammer Worm?

| |

The following precautions can be taken to protect vunerable systems from the Slammer Worm:

  • SQL Servers patched with SP3 are not affected.

    Patches can be found at:
    https://software.rutgers.edu/software/category.php?id=7

  • You can also block external access to Microsoft SQL Server Ports: As a workaround, it is possible to limit your server's exposure to these (CAN-2002-0649) vulnerabilities by restricting external access to Microsoft SQL Servers on ports 1433/tcp, 1433/udp, 1434/tcp, and 1434/udp. Note that they can be exploited using UDP packets with forged source addresses that appear to belong to legitimate services, so system administrators should restrict all incoming packets sent to 1434/udp.

What is the Slammer worm?

| |

The SQL Server Resolution Service (SSRS) was introduced in Microsoft SQL Server 2000 to provide referral services for multiple server instances running on the same machine. It contains a heap buffer overflow that allows unauthenticated remote attackers to execute arbitrary code by sending crafted requests to port 1434/udp. The code within such a request will be executed by the server host with the privileges of the SQL Server service account.

What systems are vunerable to the Slammer Worm?

| |

The following systems may be vunerable to the Slammer Worm:

  • Microsoft SQL Server 2000
  • Microsoft Desktop Engine (MSDE) 2000

SQL Servers patched with Service Pack 3 are not infected.

Patches can be found at:
https://software.rutgers.edu/software/category.php?id=7

What are the symptoms that my system may be infected by the Slammer Worm?

| | |
  • Unusually high outgoing traffic from an infected system to the port 1434 UDP. This worm does not exist as a file on your system. No INI or registry keys are created by this worm. The MD5 checksum of the worm (376 bytes) is A0AA4A74B70CBCA5A03960DF1A3DC878.
  • The malformed packet is only 376 bytes long (which is the full worm!) and carries the following strings: "h.dllhel32hkernQhounthickChGetTf", "hws2", "Qhsockf" and "toQhsend".

How can I remove the Slammer Worm from my system?

| | |

If you are using Windows 2000, download and apply at least Service Pack 3 from: https://software.rutgers.edu/software/category.php?id=7, or update your computer using Windows Update. Then, restart the SQL server. This will clear the virus from memory and prevent reinfection.

Syndicate content

Still have a question?

Didn't find what you were looking for? Do you still have a question you need an answer to? Just click here to send us a message, and a memeber of our staff will contact you shortly.