hackfix-virusnews: Virus warning ~ SQL or Slammer worm

• From: "Christy" <snowz@xxxxxxxxxx>
• To: hackfix-virusnews@xxxxxxxxxxxxx
• Date: Wed, 29 Jan 2003 17:07:14 -0500

W32.SQLExp.Worm is a worm that targets the systems
running Microsoft SQL Server 2000, as well as
Microsoft Desktop Engine (MSDE) 2000. The worm sends
376 bytes to UDP port 1434, the SQL Server Resolution
Service Port. 

Technical information borrowed from:
http://www.symantec.com/avcenter/venc/data/w32.sqlexp.
worm.html
Removal tool
http://securityresponse.symantec.com/avcenter/venc/dat
a/w32.sqlexp.worm.removal.tool.html

Reference urls
http://www.trendmicro.com/vinfo/virusencyclo/default5.
asp?VName=WORM_SQLP1434.A
http://vil.nai.com/vil/content/v_99992.htm
http://www.norman.com/virus_info/w32_sqlslammer_a.shtm
l
http://www.avp.ch/avpve/worms/sql/helkern.stm
http://www.commandsoftware.com/virus/slammer.html
http://www.Europe.f-secure.com/v-descs/mssqlm.shtml
http://www.ravantivirus.com/virus/showvirus.php?v=164

Additional informational urls included below

Technical information

When W32.SQLExp.Worm attacks a vulnerable system, it
does the following:

Sends itself to the SQL Server Resolution Service,
which listens on UDP port 1434.  Takes advantage of a
buffer overflow vulnerability that allows a portion
of system memory to be overwritten. When the worm
does this, it runs in the same security context as
the SQL Server service.
Calls the Windows API function, GetTickCount, and
uses the result as a seed to randomly generate IP
addresses.
Opens a socket on the infected computer and attempts
to repeatedly send itself to UDP port 1434 on the IP
addresses it has generated, by using an ephemeral
source port. Because the worm does not selectively
attack the hosts in the local subnet, large amounts
of traffic are the result.

For more information about the vulnerability that
this worm exploits, refer to the following article
at:
http://securityresponse.symantec.com/avcenter/security
/Content/2270.html.

Additional information: 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002
-0649 
http://www.cert.org/advisories/CA-2002-22.html 
http://online.securityfocus.com/bid/5310 
http://online.securityfocus.com/bid/5311 
http://www.microsoft.com/technet/security/bulletin/ms0
2-039.asp 
http://www.microsoft.com/technet/security/bulletin/MS0
2-061.asp
http://www.cisco.com/warp/public/707/cisco-sa-20030126
-ms02-061.shtml

~*~*~*~*~
To unsubscribe from our list send an email 
to hackfix-virusnews-request@xxxxxxxxxxxxx?Subject=unsubscribe.

For a complete list of email commands for our list send 
an email to ecartis@xxxxxxxxxxxxx with a subject line of 
"info hackfix-virusnews" without the quotes.
~*~*~*~*~

Other related posts:

• » hackfix-virusnews: Virus warning ~ SQL or Slammer worm

1. Home
2. hackfix-virusnews
3. Archive
4. 01-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---