Microsoft Knowledge Base Email Alertz
All KB/RSS Links  |  Hot Kb!  |  New Kb!  |  Scott Cate  |  FAQ / KB  |  Web Hosting  |  Unsubscribe  

(813440) - The Microsoft PSS Security Response Team has issued an alert to inform customers about the W32.Slammer worm. The W32.Slammer worm is an Internet worm that targets SQL Server 2000 and SQL Server Desktop Engine (also known as MSDE 2000) systems. This...

Search KbAlertz

Advanced Search

Receive Microsoft Knowledge Base articles by E-Mail?

Every night we scan the Microsoft Knowledge Base. If technologies you're interested in are updated, we'll send you an e-mail. You only get one e-mail a day, and only when new articles are added.
Click here to create a
FREE account
Already have an account?
[Click here to Login]











Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks
Article ID: 813440 - Last Review: February 21, 2007 - Revision: 9.6

A denial of service security issue about the W32.Slammer worm

View products that this article applies to.

SUMMARY

The Microsoft PSS Security Response Team has issued an alert to inform customers about the W32.Slammer worm. The W32.Slammer worm is an Internet worm that targets SQL Server 2000 and SQL Server Desktop Engine (also known as MSDE 2000) systems. This attack results in a high volume of network traffic on both the Internet and private internal networks.

Note that:
  • The W32.Slammer worm does not target operating systems.
  • This alert is primarily focused on business customers.

Risk

You are potentially at risk if:
  • You use one of the products listed in the "Applies to" section of this article.

    -and-
  • You have not applied any of the following patches:
Microsoft Security Bulletin MS02-039
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx (http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx)

Microsoft Security Bulletin MS02-061
http://www.microsoft.com/technet/security/bulletin/MS02-061.mspx (http://www.microsoft.com/technet/security/bulletin/MS02-061.mspx)

The MS02-061 cumulative security patch includes the patch referenced by MS02-039. This patch has been re-released to include functionality that previously was only available in the Q317748.exe download file:
317748  (http://kbalertz.com/Feedback.aspx?kbNumber=317748/ ) FIX: Handle leak occurs in SQL Server when service or application repeatedly connects and disconnects with shared memory network library

Latest SQL Server 2000 Service Pack
290211  (http://kbalertz.com/Feedback.aspx?kbNumber=290211/ ) How to obtain the latest SQL Server 2000 service pack

Microsoft SQL Server 2000 Service Pack 3 (SP3) includes the patches referenced in the MS02-039 and MS02-061 security bulletins.
Back to the top

MORE INFORMATION

Prevention

To help protect against this worm, Microsoft recommends the following:

If you are running Microsoft SQL Server 2000 Evaluation Edition, RTM and Service Pack 1 (SP1) or MSDE 2000 RTM and Service Pack 1 (SP1):
  • Use the SQL Server Security tools to help secure your computer. For more information, visit the following Microsoft Web site:

    Tools for Combating the Slammer Worm (http://www.microsoft.com/sql/downloads/default.mspx)

    -or-
  • Update your version of SQL Server to the latest service pack. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    290211  (http://kbalertz.com/Feedback.aspx?kbNumber=290211/ ) How to obtain the latest SQL Server 2000 service pack


If you are running SQL Server 2000 Service Pack 2 (SP2) or MSDE 2000 Service Pack 2 (SP2):
  • Use the SQL Server Security tools to help secure your computer. For more information, visit the following Microsoft Web site:

    Tools for Combating the Slammer Worm (http://www.microsoft.com/downloads/details.aspx?familyid=9552D43B-04EB-4AF9-9E24-6CDE4D933600)

    -or-
  • Update your version of SQL Server to the latest service pack. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    290211  (http://kbalertz.com/Feedback.aspx?kbNumber=290211/ ) How to obtain the latest SQL Server 2000 service pack

    -or-
  • Install the latest cumulative security patch, Microsoft Security Bulletin MS02-061. For more information, visit the following Microsoft Web site:

    Microsoft Security Bulletin MS02-061 (http://www.microsoft.com/technet/security/bulletin/MS02-061.mspx)


Recovery

If your computer is infected by the W32.Slammer worm, which is a denial of service attack, Microsoft recommends that you use the following methods to remove the worm:
  • Automated removal

    Use the SQL Server Security tools to remove the the W32.Slammer worm from your computer. These tools can patch infected systems and also help to prevent future infection. For more information, visit the following Microsoft Web site:

    Tools for Combating the Slammer Worm (http://www.microsoft.com/downloads/details.aspx?familyid=9552D43B-04EB-4AF9-9E24-6CDE4D933600)
  • Manual removal

    To manually remove the worm, follow these steps:
    1. Set the SQL Server Service to Manual.
    2. Restart the infected computer.
    3. Follow the instructions in the "Prevention" section of this article about how to patch your computer, depending on the version of SQL Server or MSDE you are running.
    4. Set the SQL Server Service to Automatic.
Back to the top

REFERENCES

For the most current information about this alert, visit the following Microsoft Web site:
http://www.microsoft.com/security/portal/ (http://www.microsoft.com/security/portal/)
For more information about a patch for Microsoft Application Center 2000, click the following article number to view the article in the Microsoft Knowledge Base:
813115  (http://kbalertz.com/Feedback.aspx?kbNumber=813115/ ) FIX: W32.Slammer worm exploits MSDE 2000 vulnerability in Application Center 2000

For more information about computer viruses, click the following article number to view the article in the Microsoft Knowledge Base:
129972  (http://kbalertz.com/Feedback.aspx?kbNumber=129972/ ) Computer viruses: description, prevention, and recovery




Related Security Information

For additional security-related information about Microsoft products, visit the following Microsoft Web site:
http://www.microsoft.com/security (http://www.microsoft.com/security)
For additional information about viruses, visit the following third-party Web sites:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SQLP1434.A (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SQLP1434.A)

http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html (http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html)

http://vil.nai.com/vil/content/v_99992.htm (http://vil.nai.com/vil/content/v_99992.htm)
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
Back to the top
APPLIES TO
  • Microsoft SQL Server 2000 Standard Edition
  • Microsoft SQL Server 2000 Service Pack 1
  • Microsoft SQL Server 2000 Service Pack 2
  • Microsoft SQL Server 2000 Desktop Engine (Windows)
  • Microsoft SQL Server 2000 Desktop Engine (MSDE) SP1
  • Microsoft SQL Server 2000 Desktop Engine (MSDE) SP2
Back to the top
Keywords: 
KB813440
Back to the top
        

Community Feedback System

Very often, it takes hours to solve a problem. Very often, you've looked high and low, and have tried a lot of solutions. When you finally found it, chances are, it was because someone else helped you. Here's your chance to give back. Use our community feedback tool to let others know what worked for you and what didn't.

Please also understand that the community feedback system is not warranted to be correct, it's simply a system that we've built to let people try and help each other. If something in a feedback response doesn't make sense to you, or you're not comfortable making changes that the feedback talks about (like registry edits), please consult a professional.

Thank you for using kbAlertz.com Feedback System.

-- Scott Cate

Copyright © 2002-2007 KBALERTZ.COM.  All Rights Reserved. Terms / PrivacyDiscount ASP.NET Hosting