The SQLSlammer worm hits the net

Sunday, January 26 2003 @ 13:07 CET

Contributed by: twa

This weekend, the internet infrastructure in some parts of the world received a beating from a worm called SQLSlammer (also known as Sapphire or SQLExp.Worm). The worm attempts to use a known buffer overrun flaw in MS SQL Server 2000 by connecting to port 1434/UDP. The SQL Server security hole was published in MS Security Bulletin MS02-039 in July 2002.

According to several news sources, routers and servers bowed to the pressure of the Code-Red like flooding of the lines, taking down large chunks of ISP infrastructure in a.o. South-Korea.

I don't know if it's connected in any way, but name resolution for domains on US DNS servers were extremely slow Saturday. Right now it appears to be normal.

The worm is described byNorman,Symantec and Microsoft. Symantec have also made a worm removal tool free of charge.

A Payload Analysis is also available on