Slammer (Helkern) Worm Epidemic – Events Chronology

It is possible to state with certainty that “Helkern” appeared far before the 25th of January when anti-virus companies first brought it to the attention of the mass media. January 20, 2003 at 19:07 marked the first time data similar to “Helkern” worm copies were detected by Kaspersky Labs. The data was sent from a computer belonging to an U.S.-based Internet service provider. However this doesn’t mean that company’s employees created “Helkern” – most likely their server was remotely infected. Therefore the truth about the virus’s origin might be hiding in the request log-files of that server.

Same day, a bit later, the “Helkern” code was found in a request from a Dutch server. After that the worm did not show up until 20:21 on January 23 when another copy of the worm was registered in the request from another Dutch server. The explosion of “Helkern” activity only occurred early morning January 25. The incubation period for this worm lasted for almost 5 days. During this time this virus infected the critical number of servers, which caused the destructive chain reaction.

According to other data, the epicenter of the worm was based in China from where it sneaked into North Korean and Philippines computer systems. From there it reached the western and central regions of U.S.A., where it then divided into two streams – the first one head to Australia and New Zeeland and the second to Western Europe.

Geographic spread of “Helkern”

Countries Amount of infected servers (as a % of the total number of server infections)
USA 48.4%
Germany 8.2%
South Korea 4.9%
Great Britain 4.9%
Canada 4.9%
China 3.3%
Netherlands 2.7%
Taiwan 2.7%
Greece 2.2%
Sweden 2.2%

As the above table roughly shows, this epidemic reached into almost all counties. This once again proves the inefficiency of the idea to fight with cybernetic weapons such as computer viruses. It has an obvious boomerang property, which makes it inapplicable for military purposes.

Currently – on January 27, the epidemic is practically neutralized and the usual Internet operating capacity has been restored. Copies of “Helkern” are being constantly registered in the network, but its number is hundreds of times lower than at the peak of activity. In general their presence doesn’t influence Internet traffic and doesn’t disturb normal network performance. The neutralization of “Helkern” in many ways was due to the coordinated work of Internet providers, who implemented measures for the filtration of the hazardous data packages sent by “Helkern” and by users who alertly patched on the vulnerability in the security system of Microsoft SQL Server that was being exploited by the “Helkern” worm.