Virus Encyclopedia
Welcome to the Virus Encyclopedia of Panda Security.
Slammer | |
Threat Level Damage Distribution |
At a glance
 |
Common name: | Slammer |
Technical name: | W32/SQLSlammer |
Threat level: | Medium |
Alias: | W32/SQLSlammer.Worm, W32/SQLSLAM-A, W32/SQLSLAMER.Worm, WORM_SQULP1434.A, DDOS_SQLP1434.A, Sapphire, W32.SQLExp.Worm, Worm.SQL.Helkern |
Type: | Worm |
Effects: | It launches denial of service attacks against computers running the application SQL Server by sending multiple copies of the worm to the port 1434. |
Affected platforms:
| Windows XP/2000/NT/ME/98/95 |
First detected on: | Jan. 25, 2003 |
Detection updated on: | March 20, 2006 |
Statistics | No |
Brief Description | |
Slammer is a worm with the following characteristics: - It only attacks servers running the application SQL Server.
- It carries out its infection by exploiting a buffer overrun vulnerability in SQL servers that do not have Service Pack 3 installed.
- Its strategy involves sending out multiple 376-bytes files, which contain the worm's code. By doing this, it collapses corporate networks and causes a denial of service (DoS).
Basic advice for protecting your computer against this worm is to download the patch released by Microsoft. |
Visible Symptoms | |
Indications that Slammer has affected a computer are: - The traffic through UDP port 1434 (SQL Server Resolution Service Port) increases.
- The server slows down or even blocks.
|
Tech details
Effects |
Slammer has the following effects: - It increases the network traffic through UDP port 1434 (SQL Server Resolution Service Port).
- It slows down or even blocks the server.
- It slows down Internet communications.
- It can cause the e-mail service to fail.
- It can block the network.
|
Infection strategy
Slammer follows the infection routine below:
Slammer does not create or modify files or entries in the Windows Registry.
Means of transmission
Slammer is sent to the affected server from another SQL server. Once it gets into the machine, Slammer looks for other machines that act as SQL servers in order to infect them. It does this by exploiting a buffer overrun vulnerability, which exists in servers that do not have Service Pack 3 installed.