SQLSlammer Could Block the Enterprise Activities

New worm SQLSlammer, first discovered last Saturday, takes advantage of a vulnerability in SQL Servers to send Denial of Service attacks against corporate network servers. This worm can spread more easily when companies start their normal activity at the beginning of the week; a few hours after its appearance, thousand of servers were affected.

This worm, which uses a SQL Server vulnerability, looks through the network t find other SQL servers with the same vulnerability and will install itself on them and replicate. Thus, the damage of this malicious code is, basically, a Denial of Service attack, able to cause different effects, such as e-mail service failure, internet communication slowdown and network blocking, among others.

Luis Corrons, Panda Software’s Lab Director explains: ” We strongly recommend to stay on alert in order to prevent the possibility of an attack, it may cause major problems in the communication networks. The first action is to keep informed on how this worm may spread and infect. Additionally, network administrators should know how it works in order to stop its massive distribution. At first look, corporate environments will be the most affected but, since users can install SQL Server 2000 Desktop Engine in 98, Millenium, NT and 2000 Professional, and it is frequently used by home users and software developers, SQLSlammer can infect their computers as well”.

In case the situation worsens, it could hinder corporate activities and create great economical losses, as happened with Red Code infecting 250,000 Internet servers in nine hours, two years ago. These two worms have many common features, as for example, they come from Asia, remain in memory and both send Denial Of Service attacks. Also, it is impossible to spot them with traditional virus detection programs; one of the best solutions is to install MS patch released on July, 24th 2002.

The visible payload of SQLSlammer is a 1434 UDP (SQL Server Resolution Service Port) traffic increase and also a slowdown – or even blocking- of the affected server. Although no visible symptoms were detected, Panda Software recommends taking into consideration the following actions to verify if the worm has affected the network:

1. Check if the Microsoft Patch offered in:
is already installed and, if not, download and install it.

2. Block incoming 1434 UDP (SQL Server Resolution Service Port) port traffic. It can be done through a firewall, router, etc.., depending on the network configuration.

3. Should you were infected, change SQL Server service to “manual” and reboot the computer. This way the worm code will be removed from memory. Then, install MS patch, restart SQL service and set the SQL service to automatic again.

Panda Software’s Virus Laboratory detected yesterday the appearance of this new worm, called SQLSlammer. This malicious code affects SQL servers and sends a 376 bytes package to the 1434 UDP port (SQL Server Resolution Service Port). In order to send this package, which includes the worm W32/SQLSlammer, it uses a function to create IP addresses. Due to this continuous process and the great number of tries it may cause a DoS (Denial of Service) attack.