W32/SQLSlammer

Discussion in 'other anti-virus software' started by spm, Jan 27, 2003.

Thread Status:
Not open for further replies.
  1. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    Does anyone have any reports about A/V software or other programs' reaction to the W32/SQLSlammer worm that hit this weekend?

    While I understand it was not destructive as such (except for internet performance hits), I'm interested in which A/V programs (if any) stopped it, and which failed to.
     
  2. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    I think no available antivirus software stopped this worm as it differs to much from file-based malware. It is IMHO more an automated hack attemp. So the protection against this worm should be updating/patching the systems on a regular basis (the worm used a security whole from July last year).

    wizard
     
  3. *Ari*

    *Ari* Registered Member

    Joined:
    Feb 15, 2002
    Posts:
    431
    Location:
    Finland
    I took liberty to quote Steve "Cool" Gibson again:


    "A Quick Vulnerability Test

    You may quickly and easily check your system:

    It is unlikely that typical personal computer users will be vulnerable to this worm's infection attempts, so you probably have nothing to worry about. Most personal computers are not running Microsoft's "SQL Server", so there is no point of entry for this infection.

    To quickly verify that your system is not running Microsoft's SQL Server, and therefore can not be infected by Sapphire/ Slammer worm probes, enter the following command in an "MS-DOS Prompt" window:


    netstat -an | find "1434"

    This DOS command line checks for the presence of any process "listening" on your computer's port 1434. Your system
    might be vulnerable only if some lines containing "1434" are printed to the screen when this command is entered. Otherwise, your computer can not be infected by this new worm. "

    http://grc.com/worms/25-01-03.htm


    ^Ari^
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    "Should" is the correct word here. ;)

    http://www.sophos.com/virusinfo/articles/slammerpoll.html

    Regards,

    Pieter
     
  5. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    It is a shame how many administrators don't even care about updating their systems. For private users it is even more scary as these mostly believe a personal firewall is enough protection for such threats.

    wizard
     
Thread Status:
Not open for further replies.