Sophos Anti-Virus warns of SQLSlammer internet worm - W32/SQLSlam-A causes internet slowdown

January 25, 2003 Sophos Press Release

Sophos experts are advising companies to ensure their systems are up-to-date with the latest security patches in response to a new internet worm that affects vulnerable SQL servers and computers running MSDE 2000.

The worm, called W32/SQLSlam-A (also known as SQLSlammer, W32.SQLExp.Worm or Sapphire), relies upon a security vulnerability in some versions of Microsoft SQL server, and creates traffic on UDP port 1434. Unlike many commonly encountered viruses it does not spread via email.

W32/SQLSlam-A infects Windows 2000 computers running vulnerable versions of Microsoft SQL Server or MSDE 2000. Applications which have embedded versions of these applications may also be at risk. Microsoft has issued a list of its applications that may be vulnerable.

Microsoft has published a patch to deal with the security vulnerability of SQL servers first detailed in Security Bulletin MS02-039. The patch is included in Microsoft SQL Server Service Pack 3. Microsoft has since published updated information on the threat.

As the worm does not infect any files, an affected server can be cleaned just by rebooting. However, the patch needs to be put in place to avoid reinfection.

Astonishingly, this patch first dates from July 2002 - and yet many system administrators may still not have put it in place.

Loopholes are found in products on a weekly basis, some significant, some trivial. IT managers should keep abreast of these loopholes and apply patches where appropriate before new viruses come along to exploit them.

"Companies need to take applying patches against new security threats seriously," said Graham Cluley, senior technology consultant at Sophos Anti-Virus. "If you don't then stopping new worms and viruses is as easy as catching smoke in a butterfly net."

Every IT manager responsible for security should consider subscribing to vulnerability mailing lists such as that operated by Microsoft at http://www.microsoft.com/technet/security/bulletin/notify.asp. Other vendors offer similar services.

Further reading: