W32/SQLSlammer (updated 1/30/2003, 7:45 A.M.)

New tool to scan for and disable non-patched machines
sqlscanpkg can disable all vulnerable machines (machines running SQL2000 or MSDE2000, without the requisite patches). This newly released tool is is more stable, and provides more accurate results that sscheck.exe did. However, there is still a possiblity that production machines could be disabled. Read the enclosed README.TXT file carefully before using this tool. See http://microsoft.com/downloads/details.aspx?FamilyId=9552D43B-04EB-4AF9-9E24-6CDE4D933600&displaylang;=en for additional information.

W32/SQLSlammer (A.K.A. Sapphire) Description
This worm, discovered 1/24/2003, uses a SQL vulnerability to infect the host. The infection exists in memory only, so it is not detected by traditional antivirus software.
You should apply SP3 to SQL2000 servers. Otherwise, install SQL Service Patch 2, and then apply the security patch Q323875.

Platforms affected:
SQL 2000 (Developer, Standard and Enterprise)
Microsoft SQL Desktop Engine 2000 (MSDE 2000)
MSDN
Office Developer Edition (2000 and XP)
Visual Studio.NET
Visual Foxpro 7.0 and 8.0
Non-standard version of Access 2000 (See MSDE Applications for a list of 3rd party applications that use MSDE).

Although it does not infect SQL7, you should ensure that SQL7 servers are patched appropriately.

Do not assume you have MSDE just because you have Access 2000. See below for instructions.

Important information from Microsoft regarding these patches is at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-061.asp

SQL Server SP3 instructions:

• Save Service Pack 3 (SQL SP3) and the patches to any removeable media (e.g. cd or other storage device)
• Isolate the Server by removing it from the network (unplug the network cable)
• Reboot the server
• Install SQL SP3
• Reboot the server
• Reattach the server to the network
• From the command line, run the command (without quotes) "netstat -a -s"
• The number of udp packets sent will be small following a successful patch

SQL Server SP2 instructions:

• Save Service Pack 2 (SQL SP2) and the patches to any removeable media (e.g. cd or other storage device)
• Isolate the Server by removing it from the network (unplug the network cable)
• Reboot the server
• Install SQL SP2
• Reboot the server
• Execute the patch Q323875
• Reboot the server
• Reattach the server to the network
• From the command line, run the command (without quotes) "netstat -a -s"
• The number of udp packets sent will be small following a successful patch

• Verify that you have MSDE running.
  • Go to "Start" then "Search" and search the local system for the file "sqlservr.exe". If this file is present on your system, then you have MSDE or SQL Server installed.
  • Next right click on this file and select "properties" then "product version". If the product version is between 8.00.0194 and 8.00.0533 you are running MSDE 2000 and you need to install MSDE2000 SP2 before you install Q316333
  • If the product version is between 8.00.0534 and 8.00.0636 you are running MSDE 2000 and only need to run Q316333
• Save the MSDE2000 SP2 to any removeable media
• Save the MSDE2000Full SP2 to any removeable media
• Save Q316333 to any removeable media
• Remove the machine from the network (unplug the network cable, or disable the wireless conenction)
• Reboot the machine
• Install the MSDE2000 SP2. This patch may fail in certain circumstances
• If, and only if, the MSDE2000 SP2 does not install, install MSDE2000Full SP2
• Reboot the machine
• Install Q316333
• Reboot the machine
• From the command line, run the command (without quotes) "netstat -a -s"
• The number of udp packets sent will be small following a successful patch

MSDE SP3 instructions:

• Save MSDE2000 Service Pack 3 (MSDE SP3) and the patches to any removeable media (e.g. cd or other storage device)
• Isolate the Server by removing it from the network (unplug the network cable)
• Reboot the server
• Install MSDE SP3
• Reboot the server
• Reattach the server to the network
• From the command line, run the command (without quotes) "netstat -a -s"
• The number of udp packets sent will be small following a successful patch

See http://support.microsoft.com/default.aspx?scid=kb;en-us;315721 for more information.

To detect the presence of the worm, issue the command "netstat -a -s". A small amount of UDP traffic is normal and is to be expected. If there are a large number of connections open then the machine is likely compromised.

A good analysis is at http://isc.incidents.org/analysis.html?id=180, from the Internet Storm Center

Additional information is at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-039.asp from Microsoft
http://www.sarc.com/avcenter/venc/data/w32.sqlexp.worm.html from Symantec
http://vil.nai.com/vil/content/v_99992.htm from Network Associates

This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.