Lack of Visible Symptoms Increases the Danger of SQLSlammer

Panda Software’s International Tech Support Service is receiving a large number of inquiries about SQLSlammer from across the globe. As this worm does not have any visible symptoms (files, e-mail messages, etc.), it is difficult for users to identify its presence on their systems.

The multinational antivirus developer also highlights that a large number of systems could be exposed to SQLSlammer without network administrators realizing. The reason for this is that many applications use a Microsoft SQL Server component as an add-in. As this malicious code exploits a vulnerability in servers running the Microsoft SQL applications, systems that do not have Service Pack 3 installed can easily fall prey to this virus.

The main applications that use Microsoft SQL Server include: Compaq Insight Manager; Crystal Reports Enterprise; Dell OpenManage; HP Openview Internet Services Monitor; Microsoft .NET Framework SDK; Microsoft Office XP Developer Edition; Microsoft Project; Microsoft Visio 2000; Microsoft Visual FoxPro; Microsoft Visual Studio.NET and Veritas Backup Exec.

In order to check if a server has Microsoft SQL Server installed, follow the steps below:

1) Open a command window in the server.

2) Write the command “netstat -p udp -a”

3) Check if a line of text like the one below appears in the information that is displayed on screen:

UDP server_name:ms-sql-m

This line indicates that the server could be running Microsoft SQL Server and it is, therefore, advisable to install the corresponding update, which is available at:




The main aim of SQLSlammer is to launch denial of service attacks (DoS) against corporate network servers by sending multiple packets containing the worm’s code to port 1434. Its functioning and characteristics are similar to Code Red, which exploited a vulnerability in IIS and could spread very rapidly without leaving any trace in traditional storage devices. According to Computer Economics, in 2001 the impact of Code Red reached 2,970 million euros.

More information about SQLSlammer and other malicious code in Panda Software’s Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/

About Panda Software’s virus laboratory

On receiving a possibly infected file, Panda Software’s technical staff get straight down to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users