W32.SQLExp.Worm is a worm that targets the systems running Microsoft SQL Server 2000, as well as Microsoft Desktop Engine (MSDE) 2000. The worm sends 376 bytes to UDP port 1434, the SQL Server Resolution Service Port. Technical information borrowed from: http://www.symantec.com/avcenter/venc/data/w32.sqlexp. worm.html Removal tool http://securityresponse.symantec.com/avcenter/venc/dat a/w32.sqlexp.worm.removal.tool.html Reference urls http://www.trendmicro.com/vinfo/virusencyclo/default5. asp?VName=WORM_SQLP1434.A http://vil.nai.com/vil/content/v_99992.htm http://www.norman.com/virus_info/w32_sqlslammer_a.shtm l http://www.avp.ch/avpve/worms/sql/helkern.stm http://www.commandsoftware.com/virus/slammer.html http://www.Europe.f-secure.com/v-descs/mssqlm.shtml http://www.ravantivirus.com/virus/showvirus.php?v=164 Additional informational urls included below Technical information When W32.SQLExp.Worm attacks a vulnerable system, it does the following: Sends itself to the SQL Server Resolution Service, which listens on UDP port 1434. Takes advantage of a buffer overflow vulnerability that allows a portion of system memory to be overwritten. When the worm does this, it runs in the same security context as the SQL Server service. Calls the Windows API function, GetTickCount, and uses the result as a seed to randomly generate IP addresses. Opens a socket on the infected computer and attempts to repeatedly send itself to UDP port 1434 on the IP addresses it has generated, by using an ephemeral source port. Because the worm does not selectively attack the hosts in the local subnet, large amounts of traffic are the result. For more information about the vulnerability that this worm exploits, refer to the following article at: http://securityresponse.symantec.com/avcenter/security /Content/2270.html. Additional information: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002 -0649 http://www.cert.org/advisories/CA-2002-22.html http://online.securityfocus.com/bid/5310 http://online.securityfocus.com/bid/5311 http://www.microsoft.com/technet/security/bulletin/ms0 2-039.asp http://www.microsoft.com/technet/security/bulletin/MS0 2-061.asp http://www.cisco.com/warp/public/707/cisco-sa-20030126 -ms02-061.shtml ~*~*~*~*~ To unsubscribe from our list send an email to hackfix-virusnews-request@xxxxxxxxxxxxx?Subject=unsubscribe. For a complete list of email commands for our list send an email to ecartis@xxxxxxxxxxxxx with a subject line of "info hackfix-virusnews" without the quotes. ~*~*~*~*~