Home Forums Article Discussions Article Discussions by Author Discuss Content Posted by Brian Knight Another SQL Server Virus Hits the Internet RE: Another SQL Server Virus Hits the Internet

  • January 28, 2003 at 9:04 pm

    #447429

    2) at http://www.microsoft.com/sql/downloads/2000/sp3.asp I find it kind of confusing as to what exactly is the sp3 download. if you click the link to direct to next page for download there are 3 files at the bottom

    "Below are links to the separate files available for this download."

    sql2kasp3.exe

    SQL2KDeskSP3.exe

    sql2ksp3.exe

    there is no description for these files. which one exactly should you download?

    sql2kasp3.exe - Analysis Services. Not important for Slammer.

    SQL2KDeskSP3.exe - MSDE. If you have MSDE, very important, as MSDE is vulnerable.

    SQL2KSP3.exe - Core SQL Server. Important for Slammer.

    3) if you go to the slammer link at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/slammer.asp it offers you instructions for "recovery" for those already affected.

    step 1 is "Set the SQL Server Service to Manual." - can you humor a knucklehead and clarify this? Where can I find this and how do I change it to manual?

    If you are on a Win2K Server (Advanced Server, etc.), go to Start | Programs | Administrative Tools | Services. Find MSSQLServer and any that start with MSSQL$. Double click, change start-up to manual.

    The worm is in memory only. It doesn't write or change anything permanently. The reason you set it to manual is upon startup you don't get reinfected immediately. It gives you a chance to apply the patch.

    4) What would be interesting would be a subjective description of the virus -

    is it a query, script file etc?

    It is a buffer overflow attack. Specifically, some mean person has crafted a network packet to hit UDP port 1434. It exploits a known SQL 2K vulnerability. The vulnerability allowed the packet to overwrite a portion of active memory. That portion gets overwritten with the worm, who's sole purpose to propogate itself as quickly as possible. It picks out IP addresses psudeo-randomly and fires off the UDP packet. Since UDP is connectionless, it's really a fire and forget, meaning a single worm can generate a ton of traffic and infect unpatched systems extremely fast.

    Is there a way to examine your SQL Server to see if you are infected?

    If you are infected, you have no bandwidth. It brought down trunks at BellSouth. Internet availability and reachability dropped from greater than 99.99% to 85%.

    What was the means of infection? It seems having a sql server without sp3 exposed to the internet might be enough.

    A UDP packet destined for port 1434 (SQL Server Listener). SP3 and systems with SP 2 and MS02-039 or MS02-061 are patched. There is a proviso with the SP 2 patches... apparently one of the patches after July undid the MS02-039 patch for the vulnerability (wrong files in the patch). That's why some MS02-061 or MS02-039 systems were infected.

    K. Brian Kelley

    http://www.truthsolutions.com/

    Author: Start to Finish Guide to SQL Server Performance Monitoring

    http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

    Edited by - bkelley on 01/28/2003 10:39:41 PM

    K. Brian Kelley
    @kbriankelley