Issue
Alert - New Worm: W32.Slammer
UPDATED: January 27, 2003
SEVERITY: CRITICAL
Go to the following Microsoft https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-039 web site for more information.
Customers who have followed previously issued instructions and already installed Microsoft Security Bulletin MSO2-061 and the patch associated with Q317748 do not need to install the new patch in order to prevent the W32.Slammer worm from infecting their machines.
Customers who have not yet taken those preventative measures should follow the directions provided in this alert to patch their machines against the vulnerability exploited by the W32.Slammer worm.
Environment
PRODUCTS AFFECTED: SQL Server 2000 RTM, SQL Server 2000 SP1, SQL Server 2000 SP2, and Microsoft SQL Desktop Engine Version (MSDE) 2000
Cause
WHAT IS IT?
The PSS Security Response Team (Microsoft) is issuing this alert to inform customers about the W32.Slammer worm, which is currently spreading in the wild. You are not at risk unless you are running one of the above listed products. Customers are advised to review this information and take the appropriate action for their environments.
This alert is primarily focused at business customers.
IMPACT OF ATTACK:
Denial of Service
TECHNICAL DETAILS:
W32.Slammer is a memory resident worm that propagates via UDP Port 1434 and exploits a vulnerability in SQL Server systems that have not applied the patch released by Microsoft Security Bulletin MSO2-039. This bulletin was first available on July 24, 2002.
This worm is designed to propagate, but does not appear to contain any additional payload.
Customers can detect if they have Microsoft SQL Desktop Engine (MSDE) 2000 installed by using the following instructions:
- Right-click on the My Computer icon
- Select Manage
- Double-Click on Services and Applications
- Double-Click Services
If MSSQLSERVER is in the list of services, the default instance of MSDE is installed on their machines. Other Instances may exist, if they do they will be listed as MSSQL$**** (where stars indicate the name of the instance).
Resolution
RECOVERY:
Instructions for Removal of W32.Slammer from infected Microsoft SQL Server 2000 Servers or Microsoft SQL Desktop Edition (MSDE 2000)
- Set the SQL Server Service to Manual.
- Reboot the infected machine.
- If you are running Windows NT 4.0 Server Service Pack 6a install the patch referenced in Microsoft Knowledgebase Q258437. The Microsoft Knowledge Base can be found at http://support.microsoft.com.
- Install the security patch associated with Microsoft Security Bulletin MS02-061. Please note that the Microsoft Security Bulletin MS02-061 patch has been re-released to include the functionality previously only available through Q317748. Users who install this updated patch do not need to install Q317748.
- Users can verify installation of this patch by verifying the following files are at version 8.00.568:
ssmslpcn.dll
dbmslpcn.dll - Set the SQL Server Service to Automatic.
