W32.SQLExp.Worm

Discussion in 'malware problems & news' started by AMH209, Jan 25, 2003.

Thread Status:
Not open for further replies.
  1. AMH209

    AMH209 Registered Member

    Joined:
    Feb 21, 2002
    Posts:
    18
    Info from Symantec's website:

    W32.SQLExp.Worm
    Discovered on: January 24, 2003
    Last Updated on: January 25, 2003 04:20:00 AM



    W32.SQLExp.Worm is a worm that targets servers running Microsoft SQL. Since this worm exists only in memory, it cannot be detected by traditional antivirus scanners. As a result, Symantec Security Response will not be posting virus definitions for this threat.

    The worm sends 376 bytes to 1434/udp - the SQL Server Resolution Service Port. Beginning at 5:31am GMT, we started to see a significant increase in the unique number of source IPs scanning for 1434/udp. Symantec Security Response highly recommends all MS-SQL server system administrators to audit their machines for known security vulnerabilities immediately.

    Symantec Security Response also recommends configuring perimeter devices to block 1434/udp traffic from untrusted hosts.

    The worm has the unintended payload of performing a Denial of Service due to the large number of packets it sends out.




    Type: Worm
    Infection Length: 376 bytes
    CVE References: CAN-2002-0649

    Wild:

    Number of infections: More than 1000
    Number of sites: More than 10
    Geographical distribution: High
    Threat containment: Easy
    Removal: Easy
    Threat Metrics


    Wild:
    High
    Damage:
    Low
    Distribution:
    Low


    Damage

    Payload:
    Degrades performance: May affect network availability
    Distribution

    Ports: 1434/udp


    When W32.SQLExp.Worm compromises a machine it does the following:


    Opens a netbios socket to send the worm packet.

    Uses the Windows API Function, GetTickCount, to generate a random IP address to send the viral packet to.

    Repeatedly sends itself to all IP addresses generated on UDP port 1434

    W32.SQLExp will continuously send packets to different IP addresses, effectively performing a Denial Of Service.
     
  2. FanJ

    FanJ Guest

    See also this thread started by Snowy:

    http://www.wilderssecurity.com/showthread.php?t=6651
     
  3. FanJ

    FanJ Guest

    Quote from Sophos:
    [hr]
    SOPHOS WARNS OF SQLSLAMMER INTERNET WORM


    Sophos is advising companies to ensure their systems are up-to-date with
    the latest security patches in response to a new internet worm
    called W32/SQLSlam-A or SQLSlammer.

    The worm relies upon a security vulnerability in some versions of Microsoft
    SQL server, and creates traffic on UDP port 1434.

    Sophos advises companies to ensure their systems are up-to-date with the
    latest security patches, including the patch from Microsoft to protect
    against the vulnerability exploited by the worm:
    http://www.microsoft.com/technet/security/bulletin/MS02-039.asp

    Sophos has posted more information about the worm at
    http://www.sophos.com/link/slammer
     
  4. FanJ

    FanJ Guest

    Quoting TrendMicro:
    [hr]
    WORM_SQLP1434.A attacks targets systems using Microsoft SQL Server 2000, allowing affected SQL Servers to send the malicious packet to other SQL Servers and thereby causing a slowdown, or even failure, in the affected network.

    The code that executes the denial-of-service attack resides only in memory of affected Microsoft SQL servers, and there are no file counterparts. Because of this, antivirus scanners that do not support memory scanning will not be able to detect the code.

    There is no pattern file required.

    Trend Micro strongly advises customers to download the latest fix patch supplied by Microsoft, updated on January 17, 2003. The patch is found on this site, http://www.microsoft.com/sql/downloads/2000/sp3.asp


    For more information on WORM_SQLP1434.A please visit our Web site at:
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SQLP1434.A
     
  5. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    So my reply and link somewhere soon after starting the "heads-up" thread was not bad at all. My googling found several recommendations about excluding 1434 and 1433 from the trusted zone for all unknown ip's, and more but i stopped posting as there came no reactions on them .......
    Good by now the whole internet knows what's going on and what to do.
    Still suppose only those running the SQL server are vulnerable and need the patch or am i behind facts now again?

    You might like to look with TDS TCP Port Listen to incoming packets, or the Port Explorer socket spy. We did with TDS with determing the CR attacks, nice to see what's been trying without harming thanks to the blockages.
     
  7. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    It's quite interesting to see how the worms works, thought.... I haven't exposed my PC to it, but was willing to see how this would go on my test computer ;) so has I decided to see what the worm was all about, just to find out that this little f**k is annoying and very moving ;)

    anyhow if I knew more about programing I would make a little fix/clean for this. Darn ( I should of learned programing. )
     
  8. controler

    controler Guest

  9. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Updated: January 26, 2003

    How do I tell of I have MSDE or SQL Server 2000 installed on my system?

    Go to "Start" then "Search" and search the local system for the file "sqlserver.exe". If this file is present on your system, then you have MSDE or SQL Server installed. Next right click on this file and select "properties" then "product version". If the product version is between 8.00.0194 and 8.00.0533 you are running SQL Server 2000 or MSDE 2000 then you need to install SQL Server SP2 before you install this patch.

    Next right click on this file and select "properties" then "product version". If the product version is between 8.00.0194 and 8.00.0533 you are running SQL Server 2000 or MSDE 2000 and need the updates discussed by this bulletin.

    What do I need to do to make sure that my MSDE installation is updated?

    That depends on what product you are using with MSDE. If you are using MSDE with any of the products listed above except Application Center 2000, you need to ensure you have first installed MSDE 2000 Service Pack 2 since this security patch requires Service Pack 2 to be installed. Once you have installed MSDE 2000 Service Pack 2 you need to install the SQL Server 2000 patch.

    If you are running Microsoft Application Center 2000, you need to install a version of MSDE Service Pack 2 which is specifically intended to be used with Application Center. This service pack is available at: http://download.microsoft.com/download/AppCenter2000/MSDESP2/QFE813058.exe. Once you have installed the Application Center version of MSDE Service Pack 2, you should install the SQL Server 2000 security patch. More information on the Application Center specific version on MSDE 2000 Service Pack 2 is available in Microsoft Knowledge Base article Q813115.

    Why did you only re-release this patch for SQL Server 2000?

    The release of the "Slammer" worm virus made it especially critical for SQL Server 2000 customers to deploy this patch. The patch was repackaged with the new SQL Server installer in order to assist customers in this process.

    ___________________

    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-061.asp

    Microsoft Security Bulletin MS02-061


    Summary
    Who should read this bulletin: System administrators using Microsoft® SQL Server™ 7.0, SQL Server 2000, Microsoft Data Engine (MSDE) 1.0, and Microsoft Desktop Engine (MSDE) 2000.

    Impact of vulnerability: Elevation of privilege

    Maximum Severity Rating: Critical

    Recommendation: System administrators should apply the patch to affected systems.

    Affected Software:

    Microsoft SQL Server 7.0
    Microsoft Data Engine (MSDE) 1.0
    Microsoft SQL Server 2000
    Microsoft Desktop Engine (MSDE) 2000 (see the FAQ for a list of products that include MSDE 2000)
     
Thread Status:
Not open for further replies.