Sophos experts are advising companies to ensure their systems
are up-to-date with the latest security patches in response to a
new internet worm that affects vulnerable SQL servers and computers
running MSDE 2000.
The worm, called W32/SQLSlam-A (also known as SQLSlammer,
W32.SQLExp.Worm or Sapphire), relies upon a security vulnerability
in some versions of Microsoft SQL server, and creates traffic on
UDP port 1434. Unlike many commonly encountered viruses it does not
spread via email.
W32/SQLSlam-A infects Windows 2000 computers running vulnerable
versions of Microsoft SQL Server or MSDE 2000. Applications which
have embedded versions of these applications may also be at risk.
Microsoft has issued a list of its applications that may be
Microsoft has published a patch to deal with the security
vulnerability of SQL servers first detailed in Security Bulletin MS02-039. The patch is
included in Microsoft SQL Server Service Pack 3. Microsoft has
since published updated information on the threat.
As the worm does not infect any files, an affected server can be
cleaned just by rebooting. However, the patch needs to be put in
place to avoid reinfection.
Astonishingly, this patch first dates from July 2002 - and yet
many system administrators may still not have put it in place.
Loopholes are found in products on a weekly basis, some
significant, some trivial. IT managers should keep abreast of these
loopholes and apply patches where appropriate before new viruses
come along to exploit them.
"Companies need to take applying patches against new security
threats seriously," said Graham Cluley, senior technology
consultant at Sophos Anti-Virus. "If you don't then stopping new
worms and viruses is as easy as catching smoke in a butterfly
Every IT manager responsible for security should consider
subscribing to vulnerability mailing lists such as that operated by
Microsoft at http://www.microsoft.com/technet/security/bulletin/notify.asp.
Other vendors offer similar services.