Panda Software alerts on W32/SQLSlammer

W32/SQLSlammer is a new worm which affects SQL servers

MADRID, January 25, 2003

Panda Software’s Virus Laboratory has detected the appearance of a new worm called SQLSlammer. This malicious code affects SQL servers and sends a 376 bytes package to the port 1434 UDP (SQL Server Resolution Service Port).

In order to send this package which includes the worm W32/SQLSlammer, it opens a netbios port. At the same time, it uses a function to create IP addresses to send this package. Due to this continuous process and the great number of tries it may cause a DoS (Denial of Service) attack

The Panda Software’s Technical Support Department has started receiving incidents caused by SQLSlammer worm. In order to prevent infections, Panda Software recommends SQL systems administrators to check their servers. Should you have been infected, you will have to download and install the latest MS SQL Server Service Pack. You can find more information about this vulnerability and the needed patch in order to avoid this malware at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp

The symptoms of SQLSlammer are: increase of the traffic in the port 1434 UDP (SQL Server Resolution Service Port) and the slow down or even a block of the server itself.

About the Panda Software Virus Laboratory
On receiving a possibly infected file, Panda Software’s technical staff gets straight down to work. The file is analyzed and depending on the type of file, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users.