The following has been derived from information provided by F-Secure, Network Associates, Symantec and Trend Micro.

Virus Characteristics

W32/SQLSlammer exists only in the memory of unpatched Microsoft SQL servers. Its purpose is simply to spread from one system to another and it does not carry a destructive payload.

When W32/SQLSlammer compromises a machine it does the following:

- Opens a netbios socket to send the worm packet.
- Uses the Windows API Function, GetTickCount, to generate a random IP address to send the viral packet to.
- Repeatedly sends itself to all IP addresses generated on UDP port 1434

W32/SQLSlammer will continuously send packets to different IP addresses, effectively performing a Denial Of Service.

The malformed packet is only 376 bytes long and carries the following strings: "h.dllhel32hkernQhounthickChGetTf", "hws2", "Qhsockf" and "toQhsend".

The worm body starts with byte 04 (followed by a long series of 01s) which when received by the SQL Monitor generates a long registry key name overflowing the buffer. That overwrites the return address on stack and the worm code receives control with the privileges of the SQL Monitor.

Once the worm gets control on the target computer it loads WS2_32.DLL and starts to continually send itself to randomly selected IP targets in an infinite loop. The IP of a victim is constructed using 'GetTickCount' API and thus is purely random (no skew towards the local subnet, for example). This propagation strategy consumes a lot of network bandwith because the vast majority of requests go to the Internet. The worm exists only in memory and does not modify any local files.

This worm was detected on January 25th, 2003 at 05:30 GMT. It has been detected in various countries around the world. The worm generates massive amounts of network packets, overloading servers and routers and slowing down network traffic. As many as 5 of the 13 internet root nameservers have been down because of this during Saturday the 25th.

The worm comes as a program that asks for parameters, particularly the target host, port and version of the SQL service pack.

It uses shellcode and commands to trigger a return address to the code of the DDOS Trojan and to run in memory. This code only resides in memory, and there are no file counterparts. Because of this, antivirus scanners that do not support memory scanning will not be able to detect the code.

For additional information on the vulnerability that this malware exploits, please see:

http://www.kb.cert.org/vuls/id/370308
http://www.microsoft.com/technet/security/bulletin/MS02-039.asp


Payload

Degrades performance: May affect network availability
Consumes server and network resources, resulting in a restart of the SQL Server, a reboot of the server host, or a network failure.


Preventative Measures

Block UDP port 1434 at the firewall where possible.


Fixes Available

Please apply the patches MS02-034 and MS02-039, available from Microsoft and restart the server. This will clear the virus from memory and prevent reinfection.

For patch information, see:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-034.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp


Sincerely,

Technical Support

============================================

This is an On-Line Security Alert from Sensible Security's On-Line Alert
Service.

If you know of someone who should receive these alerts,
please have them contact us and we will add them to the list.

============================================
* Sensible Security Solutions Inc. *
* Canada's IT Security Professionals *
============================================
General Inquiries: info@sss.ca
Technical Support: support@sss.ca
WWW: http://www.sss.ca
Tel: (613)721-3320 Fax: (613)721-6744