|
MS SQL Slammer Worm |
|
|
|
| FAQ | |||
|
|
Summary
Microsoft SQL Server 2000 is vulnerable to a stack-based buffer overflow in the SQL Server Resolution Service, which is the service used to direct client requests to the proper port when multiple instances of the SQL Server are running on the same system. Once a vulnerable computer is compromised, the worm will infect that target, randomly select a new target, and resend the exploit and propagation code to that host.
Details
The Slammer worm propagates via Microsoft SQL installations without patches from Microsoft Security Bulletin MS02-039 or higher. The main function of the Slammer worm is to continue propagation. No DDOS or backdoor functionality is incorporated into the worm. Infection can be removed with a reboot, however without protection in place, it is likely that vulnerable servers will be quickly re-infected.
The Slammer worm loads Kernel32.dll and WS2_32.dll and then calls GetTickCount which is used as a seed for a random IP address routine. This routine then continuously sends 376 bytes of exploit and propagation code across port 1434/UDP until the SQL Server process is shut down. The Slammer worm does not prefer to scan local subnet addresses like the Nimda worm. This will limit the speed of propagation across local networks, but this scanning method generates large amounts of traffic that can overwhelm networks.
The Slammer worm simply seeks to replicate itself and does not try to further compromise servers or retain access to compromised hosts. The Slammer worm does not infect or modify files, it only exists in memory.
| more information |
|
Version appeared: 3.5