Worm.SQL.Helkern (aka SQLSlammer)

25 Jan 2003
Virus News

This is extremely small (just 376 bytes) Internet worm that affects Microsoft SQL Server 2000.
To get into victim machine the worm uses buffer overrun vulnerability (see below).

When the worm code gets into vulnerable SQL server it gets control (by using buffer overrun
trick), then gets three Win32 API functions:

 GetTickCount    (KERNEL32.DLL)
 socket, sendto  (WS2_32.DLL)

The worm then gets random counter by using GetTickCount function and gets into endless
spreading loop. In the spreading loop the worm sends itself to random IP addresses (depending
on the random counter), to MS SQL ports 1434.

The worm sends multicast packets, meaning with only one "send" command hits all the 255
machines in a subnet. As a result this worm is spreading 255 times faster than any other worm
known at the moment.

Because the MS SQL servers are often used on Web this worm may cause global INet DoS attack, because all infected servers will try to connect to other random selected machines in endless loop - and that will cause global INet traffic overflow.

The worm is memory only, and it spreads from infected machine memory to another (victim)
machine memory. The worm does not drop any additional files, and does not manifest itself in
any way.

There are text strings visible in worm code (which are are mix of worm code and data) :

 h.dllhel32hkernQhounthickChGet
 Qh32.dhws2_f
 etQhsockf
 toQhsend


Buffer Overflow
This buffer overrun exploit has following name:

  Unauthenticated Remote Compromise in MS SQL Server 2000

The affected systems are:

 Microsoft SQL Server 2000, all Service Packs

This security breach was found on July 2002 and later fixed in "MS SQL Server 2000" patches.

You may read more about that in:

Microsoft Security Bulletin MS02-039: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp

 NGSSoftware Insight Security Research Advisory: http://www.nextgenss.com/advisories/mssql-udp.txt

The patch for MS SQL Server 2000 is available at: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=40602