Hello!

You’re about to visit our web page in English
Would you like to continue?

Yes, I want to visit the web page in English No, I want to visit the web page in

If this is not what you’re looking for,

Visit our Welcome Page!

My Account

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Slammer

 
Threat LevelHigh threat
DamageSevere
DistributionNot widespread

At a glance

Common name:Slammer
Technical name:W32/SQLSlammer
Threat level:Medium
Alias:W32/SQLSlammer.Worm, W32/SQLSLAM-A, W32/SQLSLAMER.Worm, WORM_SQULP1434.A, DDOS_SQLP1434.A, Sapphire, W32.SQLExp.Worm, Worm.SQL.Helkern
Type:Worm
Effects:  

It launches denial of service attacks against computers running the application SQL Server by sending multiple copies of the worm to the port 1434.

Affected platforms:

Windows XP/2000/NT/ME/98/95

First detected on:Jan. 25, 2003
Detection updated on:March 20, 2006
StatisticsNo

Brief Description 

    

Slammer is a worm with the following characteristics:

  • It only attacks servers running the application SQL Server.
  • It carries out its infection by exploiting a buffer overrun vulnerability in SQL servers that do not have Service Pack 3 installed.
  • Its strategy involves sending out multiple 376-bytes files, which contain the worm's code. By doing this, it collapses corporate networks and causes a denial of service (DoS).

Basic advice for protecting your computer against this worm is to download the patch released by Microsoft.

Visible Symptoms 

    

Indications that Slammer has affected a computer are:

  • The traffic through UDP port 1434 (SQL Server Resolution Service Port) increases.
  • The server slows down or even blocks.

Tech details

Effects

Slammer has the following effects:

  • It increases the network traffic through UDP port 1434 (SQL Server Resolution Service Port).
  • It slows down or even blocks the server.
  • It slows down Internet communications.
  • It can cause the e-mail service to fail.
  • It can block the network.

Infection strategy 

Slammer follows the infection routine below:

  • When it reaches the computer it goes memory resident.
  • It loads three Winsock (network management standard) API functions:
    Socket and Sendto (WSW_32.DLL), in order to send itself out.
    GetTickCount (KERNELL32.DLL), to generate random IP addresses in order to try and infect other machines.
  • It sends multiple packets containing the worm's code through port 1434.
  • The worm constantly sends multiple packets, which results in a DoS (denial of service) attack on the port.

Slammer does not create or modify files or entries in the Windows Registry.

Means of transmission 

Slammer is sent to the affected server from another SQL server. Once it gets into the machine, Slammer looks for other machines that act as SQL servers in order to infect them. It does this by exploiting a buffer overrun vulnerability, which exists in servers that do not have Service Pack 3 installed.

Solution

See solution

Anytech logo

Call us 24/7 and get a FREE DIAGNOSIS

+1 (323) 395 2630

logo

Panda Security, a WatchGuard Technologies brand, offers the most advanced protection for your family and business. Its Panda Dome range provides maximum security against viruses, ransomware and computer espionage, and is compatible with Windows, Mac, Android and iOS.

    About Panda
    Company Info Reviews Awards and certifications Panda Worldwide Blog Security Info
    Home Users
    Panda Dome portfolio Customer Login Page Online Antivirus Downloads Free Antivirus Free VPN Offers
    Business - WatchGuard Technologies
    WatchGuard Endpoint Security Network Security Authpoint MFA Secure Wi-Fi Partners
    Visa Master Card Maestro Pay Pal Apple Pay
    Bank Transfer iDeal Klarna
    Privacy Policy Legal Notice Cookie Policy Return Policy