Skip to main content

Worm.SQL.Helkern (aka SQLSlammer)

25 January 2003

This is extremely small (just 376 bytes) Internet worm that affects Microsoft SQL servers. To get into victim machine the worm uses buffer overrun vulnerability (see below). When the worm code gets into vulnerable SQL server it gets control (by using buffer overrun trick), then gets three Win32...

This is extremely small (just 376 bytes) Internet worm that affects Microsoft SQL Server 2000.
To get into victim machine the worm uses buffer overrun vulnerability (see below).

When the worm code gets into vulnerable SQL server it gets control (by using buffer overrun
trick), then gets three Win32 API functions:

 GetTickCount    (KERNEL32.DLL)
 socket, sendto  (WS2_32.DLL)

The worm then gets random counter by using GetTickCount function and gets into endless
spreading loop. In the spreading loop the worm sends itself to random IP addresses (depending
on the random counter), to MS SQL ports 1434.

The worm sends multicast packets, meaning with only one "send" command hits all the 255
machines in a subnet. As a result this worm is spreading 255 times faster than any other worm
known at the moment.

Because the MS SQL servers are often used on Web this worm may cause global INet DoS attack, because all infected servers will try to connect to other random selected machines in endless loop - and that will cause global INet traffic overflow.

The worm is memory only, and it spreads from infected machine memory to another (victim)
machine memory. The worm does not drop any additional files, and does not manifest itself in
any way.

There are text strings visible in worm code (which are are mix of worm code and data) :

 h.dllhel32hkernQhounthickChGet
 Qh32.dhws2_f
 etQhsockf
 toQhsend


Buffer Overflow
This buffer overrun exploit has following name:

  Unauthenticated Remote Compromise in MS SQL Server 2000

The affected systems are:

 Microsoft SQL Server 2000, all Service Packs

This security breach was found on July 2002 and later fixed in "MS SQL Server 2000" patches.

You may read more about that in:

Microsoft Security Bulletin MS02-039: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp

 NGSSoftware Insight Security Research Advisory: http://www.nextgenss.com/advisories/mssql-udp.txt

The patch for MS SQL Server 2000 is available at: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=40602

 

Worm.SQL.Helkern (aka SQLSlammer)

This is extremely small (just 376 bytes) Internet worm that affects Microsoft SQL servers. To get into victim machine the worm uses buffer overrun vulnerability (see below). When the worm code gets into vulnerable SQL server it gets control (by using buffer overrun trick), then gets three Win32...
Kaspersky logo

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Related Articles Press Releases