Info from Symantec's website: W32.SQLExp.Worm Discovered on: January 24, 2003 Last Updated on: January 25, 2003 04:20:00 AM W32.SQLExp.Worm is a worm that targets servers running Microsoft SQL. Since this worm exists only in memory, it cannot be detected by traditional antivirus scanners. As a result, Symantec Security Response will not be posting virus definitions for this threat. The worm sends 376 bytes to 1434/udp - the SQL Server Resolution Service Port. Beginning at 5:31am GMT, we started to see a significant increase in the unique number of source IPs scanning for 1434/udp. Symantec Security Response highly recommends all MS-SQL server system administrators to audit their machines for known security vulnerabilities immediately. Symantec Security Response also recommends configuring perimeter devices to block 1434/udp traffic from untrusted hosts. The worm has the unintended payload of performing a Denial of Service due to the large number of packets it sends out. Type: Worm Infection Length: 376 bytes CVE References: CAN-2002-0649 Wild: Number of infections: More than 1000 Number of sites: More than 10 Geographical distribution: High Threat containment: Easy Removal: Easy Threat Metrics Wild: High Damage: Low Distribution: Low Damage Payload: Degrades performance: May affect network availability Distribution Ports: 1434/udp When W32.SQLExp.Worm compromises a machine it does the following: Opens a netbios socket to send the worm packet. Uses the Windows API Function, GetTickCount, to generate a random IP address to send the viral packet to. Repeatedly sends itself to all IP addresses generated on UDP port 1434 W32.SQLExp will continuously send packets to different IP addresses, effectively performing a Denial Of Service.