SQL Slammer - Pain in the Backside - Please help

Discussion in 'malware problems & news' started by AnthonyG, May 7, 2005.

Thread Status:
Not open for further replies.
  1. AnthonyG

    AnthonyG Registered Member

    Joined:
    Aug 3, 2004
    Posts:
    614
    Every hour my Mcafee enterprise is popping up with this virus/worm warning and my Mcafee Desktop firewall is going crazy because of it.

    How do i get rid of it, i have done a full system scan with MVE8, Mcafee Stinger and Panda online scan but it did not get rid of it.

    I have read the removal instructions but do not understand how to get rid of it, i.e something about updating the SQL server which i have tried but i am constantly getting an error.

    I do not want to uprade to XP-SP2 (i currently have no service packs) what do i do.
     

    Attached Files:

    Last edited: May 7, 2005
  2. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Re: SQL Slamer - Pain in the Backside - Please help

    Here is Symantec's writeup on the Slammer Worm:
    http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html

    They also have a removal tool you can try [upper right yellow box]:
    http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.removal.tool.html

    Also, is it possible for you to download the MS patch and then disconnect from the internet for awhile? Otherwise until you have installed the patch from MS, you will just get reinfected from the internet. Hope that helps. ;)
     
  3. AnthonyG

    AnthonyG Registered Member

    Joined:
    Aug 3, 2004
    Posts:
    614
    Re: SQL Slamer - Pain in the Backside - Please help

    I scanned my machine with the tool you linked to but it found nothing but its definitely on my machine, what do i do now?
     
  4. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    To be sure:

    ***Block UDP/TCP Port 1433 for M-SQL-Server,
    ***Block UDP/TCP Port 1434 for M-SQL-Monitor,

    ***On the next link, after clicking on "i Accept", just download on the same folder firstly "Sysclean" and after the patern file database:
    http://www.trendmicro.com/download/pattern-dcs.asp

    Then run a scan (sysclean.exe) on normal and DOS mode.

    Regards
     
  5. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    This is a small Internet worm that exploits a buffer overrun vulnerability. This worm is in memory only and it does not drop any additional files.

    Have you enabled Buffer overrun protection in the McAfee AV?

    Suggestions;


    1. When the Slammer attempts to communicate with your machine, your McAfee Firewall records the data sent to your computer in it's logs. In fact it records the actual binary data that causes the infection. Then, after this information is saved in the logs, McAfee's RTM picks it up and throws out the virus message you are seeing.

    So it's not really that your machine was INFECTED with the Slammer worm, but a record that an attack attempt was made.

    If this is the case you can safely delete the log and have the Firewall recreate it. Then you can exclude the Firewall log directories from McAfee 8.0i so that you don't get this warning anymore. You're not going to get infected, you're just getting probed.


    2. If it is in the memory of your computer, it appears to get into the buffer of your firewall. I have picked it up twice in the past with Dr Web, whose memory scanner can remove it.

    If McAfee cannot clean it from memory, or Stinger ( I am surprised ) download the trial version of Dr Web or its free version, CureIT. This should be able to remove it from memory. The full version certainly has no problems.

    Win32.SQL.Slammer is harmless but a pain if it regularly fires off your AV's RTM.


    However, if you have already tried various ways to remove this worm and all have failed, and your RTM is alerting you to a possible infection connected to your firewall files rather than in memory, it sounds like a false alarm.

    Your AV is probably alerting you to the record of the worm in your firewall logs.

    Can you report back if you find a solution as it may help other members with the same problem in the future.
     
    Last edited: May 7, 2005
Loading...
Thread Status:
Not open for further replies.