Network Associates` anti-virus research division AVERT (Anti-Virus Emergency Response Team), has assigned a high risk assessment to the recently discovered W32/SQL Slammer virus, also known as Slammer. Slammer is a worm that attempts to exploit vulnerabilities on Microsoft SQL 2000 servers by causing increased traffic on UDP port 1434 as it spreads between Microsoft SQL servers. AVERT has received dozens reports of the worm worldwide, and of those reports, hundreds of servers have been affected since its discovery.
Says Christopher Bray, Network Associates regional director of sub-Saharan Africa: " Slammer causes increased traffic on UDP port 1434 and spreads via an exploit in Microsoft SQL 2000 Web servers, which in turn scans the Internet for other SQL servers to infect."
The exploit uses a buffer overflow to gain control on a target server. SQL servers running Service Pack 2 or Service Pack 3 are not affected. Slammer is 376 bytes long and carries the following strings: h.dllhel32hkernQhounthickChGetTf hws2 Qhsockf toQhsend
A cure for this worm can be found online at the Network Associates AVERT site located at http://vil.nai.com/vil/content/v_99992.htm. AVERT recommends users update their systems with Microsoft patches MS02-034 and MS02-039 available on the Microsoft web site at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=40602 and restart the server. This will clear the virus from memory and prevent reinfection.
Share
AVERT Labs is one of the top-ranked anti-virus research organisations in the world, employing more than 90 researchers in offices on five continents. AVERT protects customers by providing cures that are developed through the combined efforts of AVERT researchers and AVERT AutoImmune technology, which applies advanced heuristics, generic detection, and ActiveDAT technology to generate cures for previously undiscovered viruses.
Editorial contacts