Tiny worm catches out lazy adminstrators

By Steve Malone

Posted on 27 Jan 2003 at 09:49

A tiny worm only 367 bytes long is set to cause chaos in the internet today. SQL Slammer, also known as "Helkern" is claimed by one anti-virus company to be `one of the biggest dangers threatening the normal operation of the Internet to come along in recent years`.

The worm doesn't infect end user machines and is not a mass-mailer but instead targets the in-memory process of unpatched Microsoft SQL server machines. The virus spreads by exploiting a buffer-overflow in the SQL Server_Server Resolution Service,_ which operates on UDP port 1434. It is recommended that traffic on this port be blocked at the firewall, unless there are very good reasons. The worm will generate large amounts of traffic on UDP port 1434 which can slow down performance similar to a denial of service attack.

The vulnerability (MS02-039) was identified in July 2002.

SQLSlammer reared its head on Saturday morning (25th January 2003), and has turned up around the world,l notably in South Korea where the Internet virtually ground to a halt. The effects were also felt particularly harshly in most of South-East Asia, Japan and
India.

Also doing the rounds today is a new virus `Sadhound`. Early indications are that it is a mass-mailer virus with the subject name `I Miss You` with an attachment Bloods.jpg (11,507), a sad looking bloodhound and a background attachment.