Home Feedback Contents Search the Site 

W32SQL info

 

Home

 

 

W32.SQLExp.Worm

Discovered on: January 24, 2003

Last Updated on: January 25, 2003 07:48:31 AM

W32.SQLExp.Worm is a worm that targets servers running Microsoft SQL.
The worm sends 376 bytes to 1434/udp - the SQL Server Resolution Service Port.
Beginning at 5:31am GMT, we started to see a significant increase in the unique number of source IPs scanning for 1434/udp. Symantec Security Response highly recommends all MS-SQL server system administrators to audit their machines for known security vulnerabilities immediately.

Symantec Security Response also recommends configuring perimeter devices to block 1434/udp
traffic from untrusted hosts.

Symantec Security Response is currently developing a removal tool for W32.SQLExp.Worm.Because the worm is only resident in memory, and is not written to disk, this threat is not detectable using virus definitions. Customers are recommended to follow the measures described above in order to deal with this threat.

The worm has the unintended payload of performing a Denial of Service due to the largenumber of packets it sends out.

Also Known As: SQL Slammer Worm [ISS], DDOS.SQLP1434.A [Trend],
W32/SQLSlammer [McAfee]

Type: Worm

Infection Length: 376 bytes

Systems Affected: Windows NT, Windows 2000, Windows XP

Systems Not Affected: Windows 3.x, Windows 95, Windows 98, Windows Me, Microsoft IIS,

Macintosh, OS/2, UNIX, Linux

CVE References: CAN-2002-0649

Wild:
Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: High
Threat containment: Easy
Removal: Easy
Threat Metrics

Wild:
High
Damage:
Low
Distribution:
Medium

Damage Payload: Degrades performance: May
affect network availability
DistributionPorts: 1434/udp

When W32.SQLExp.Worm compromises a machine it does the following:
Uses the Windows API Function, GetTickCount, to generate a random
IP address to which to send the malicious packet.

Repeatedly sends itself to all IP addresses generated on UDP port 1434
from an ephemeral source port.

W32.SQLExp will continuously send packets to different IP addresses, effectively
performing a Denial Of Service.
For more information about the vulnerability that this worm exploits, please see the
following article:

http://securityresponse.symantec.com/avcenter/security/Content/2270.html

Symantec Security Response encourages all users and administrators to adhere to the
following basic security "bestpractices":

Turn off and remove unneeded services.
By default, many operating systems install
auxiliary services that are not critical,
such as an FTP server, telnet, and a Web server. These services are avenues of attack. If
they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.

If a blended threat exploits one or more network services, disable, or block access to,
those services until a patch isapplied.

Always keep your patch levels up-to-date, especially on computers that host public
services and are accessible through
the firewall, such as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack password files oncompromised computers.
This helps to prevent or limit damage when a computer is compromised.

Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization.
Perform a forensic analysis and restore the computers using trusted media.

Train employees not to open attachments unless they are expecting them. Also, do not
execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

To remove this worm you must first apply the following patch from Microsoft:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=40602
The machine must be restarted after applying the patch.

ManHunt Users: Symantec recommends ManHunt users activate the HYBRID MODE function and apply the following custom rule;

*******************start file********************

#

#Variables need to be set dependent on the users network. Below are examples on how to set

# variable. For more information see ManHunt Administrative Guide: Appendix A.

#

#var EXTERNAL_NET 192.168.1.0/24

#

#

#

var EXTERNAL_NET any

var HOME_NET any

#

#

#

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"W32.SQLEXP.Worm propagation";content:"|68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E|"; content:"|04|"; offset:0;depth:1;)

*************EOF*********************

For more information on how to create custom signatures, you can refer to ManHunt

Administrative Guide :Appendix A Custom

Signatures for HYBRID Mode.

Additional information:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0649

http://www.cert.org/advisories/CA-2002-22.html

http://online.securityfocus.com/bid/5310

http://online.securityfocus.com/bid/5311

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-039.asp

 

 

 

 

 

 

Home ]

 

Send mail to webmaster@tactical-link.com with questions or comments about this web site.
Copyright © 2000 Tactical Link Systems
Last modified: October 14, 2007