Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.


Threat LevelHigh threat
DistributionNot widespread
Common name:Slammer
Technical name:W32/SQLSlammer
Threat level:Medium
Alias:W32/SQLSlammer.Worm, W32/SQLSLAM-A, W32/SQLSLAMER.Worm, WORM_SQULP1434.A, DDOS_SQLP1434.A, Sapphire, W32.SQLExp.Worm, Worm.SQL.Helkern

It launches denial of service attacks against computers running the application SQL Server by sending multiple copies of the worm to the port 1434.

Affected platforms:

Windows XP/2000/NT/ME/98/95

First detected on:Jan. 25, 2003
Detection updated on:March 20, 2006

Brief Description 


Slammer is a worm with the following characteristics:

  • It only attacks servers running the application SQL Server.
  • It carries out its infection by exploiting a buffer overrun vulnerability in SQL servers that do not have Service Pack 3 installed.
  • Its strategy involves sending out multiple 376-bytes files, which contain the worm's code. By doing this, it collapses corporate networks and causes a denial of service (DoS).

Basic advice for protecting your computer against this worm is to download the patch released by Microsoft.

Visible Symptoms 


Indications that Slammer has affected a computer are:

  • The traffic through UDP port 1434 (SQL Server Resolution Service Port) increases.
  • The server slows down or even blocks.