Microsoft notice on W32.Slammer

From: Shawn Aebi [MS] (shawna@microsoft.com)
Date: 01/26/03


From: "Shawn Aebi [MS]" <shawna@microsoft.com>
Date: Sat, 25 Jan 2003 22:26:54 -0800


can be found at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
virus/alerts/slammer.asp

PSS Security Response Team Alert - New Worm: W32.Slammer
      SEVERITY: CRITICAL

      DATE: 1/25/2003

      PRODUCTS AFFECTED: SQL Server 2000 RTM, SQL Server 2000 SP1, SQL
Server 2000 SP2, and Microsoft SQL Desktop Engine Version (MSDE) 2000

      **********************************************************************

      WHAT IS IT?

      The PSS Security Response Team is issuing this alert to inform
customers about the W32.Slammer worm, which is currently spreading in the
wild. You are not at risk unless you are running one of the above listed
products. Customers are advised to review the information and take the
appropriate action for their environments.

      This alert is primarily focused at business customers.

      IMPACT OF ATTACK:

      Denial of Service

      TECHNICAL DETAILS:

      The W32.Slammer is a memory resident worm that propagates via Port
1434 utilizing a vulnerability that was patched in Microsoft Security
Bulletin MS02-039. This bulletin was first available on July 24, 2002.

      This worm is designed to propagate, but does not appear to contain any
additional payload.

      Please contact your Antivirus Vendor for additional details on this
worm.

      PREVENTION:

      1) This worm utilizes a previously-announced vulnerability as part of
its infection method. The vulnerability used by the worm to infect machines
is:

      http://www.microsoft.com/technet/security/bulletin/MS02-039.asp

      Microsoft, however, recommends that customers install the most recent
cumulative security patch for Microsoft SQL Server 2000 which is Microsoft
Security Bulletin MS02-061 (which will also patch MSDE 2000), and which
includes the fixes for the vulnerabilities that were announced in Microsoft
Security Bulletin MS02-039. MS02-061 can be found here:

      http://www.microsoft.com/technet/security/bulletin/MS02-061.asp

      This patch is also included in Microsoft SQL Server 2000 Service Pack
3.

      Due to support issues with certain configurations customers should
install Microsoft Security Bulletin MS02-061 using the following
instructions:

      A) If you are running Windows NT 4.0 Server Service Pack 6a install
the patch referenced in Microsoft Knowledgebase Q258437, the Microsoft
Knowledge Base can be found at http://support.microsoft.com.

      B) Install the patch included in Microsoft Knowledgebase Q317748, the
Microsoft Knowledge Base can be found at http://support.microsoft.com. If
MS02-061 is already installed you should still install this patch, however
click "No" at the prompt to overwrite files.

      C) Install the security patch associated with Microsoft Security
Bulletin MS02-061

      2) If you cannot apply this patch immediately, the following options
can limit propagation:

      A) Block UDP port 1434 inbound and outbound traffic at your firewalls.

      B) You may also block UDP port 1434 inbound traffic on your Microsoft
SQL 2000 Servers. Performing this instruction may result in support issues
as this port performs name resolution.

      Installation of these patches will prevent infection by the
W32.Slammer Worm.

      Microsoft is working on a method to allow customers to detect MSDE in
their environment and will update this alert with that information once it
is provided.

      RECOVERY:

      Instructions for Removal of W32.Slammer from infected Microsoft SQL
Server 2000 Servers or Microsoft SQL Desktop Edition (MSDE 2000)

      1. Stop the SQL Server Service

      2. If you are running Windows NT 4.0 Server Service Pack 6a install
the patch referenced in Microsoft Knowledgebase Q258437. The Microsoft
Knowledge Base can be found at http://support.microsoft.com (this patch is
being recommended due to support issues related to Microsoft Security
Bulletin MS02-061 listed below).

      3. Install the patch included in Microsoft Knowledgebase Q317748. The
Microsoft Knowledge Base can be found at http://support.microsoft.com (this
patch is being recommended due to support issues related to Microsoft
Security Bulletin MS02-061 listed below). If MS02-061 is already installed
you should still install this patch, however click "No" at the prompt to
overwrite files.

      4. Install the patch from Microsoft Security Bulletin MS02-061, which
includes Microsoft Security Bulletin MS02-039. This patch is also included
in SQL Server 2000 SP3.

      5. Restart the SQL Server Service.

      If your need further assistance regarding this worm, please contact
Microsoft Product Support Services, or your preferred antivirus vendor.

      RELATED KB'S:

      http://support.microsoft.com?kbid=813440

      An article will be made available within 24 hours.

      RELATED MICROSOFT SECURITY BULLETINS:

      The most recent cumulative security patch for Microsoft SQL Server
2000, which includes the fixes for the vulnerabilities that were announced
in Microsoft Security Bulletin MS02-039 can be found here:

      http://www.microsoft.com/technet/security/bulletin/MS02-061.asp

      You may also install Microsoft SQL Server 2000 SP3 which includes the
above mentioned security patches.

      As always please make sure to enable a firewall and use the latest
Anti-Virus detection from your Anti-Virus vendor to prevent and detect new
viruses and their variants.

      If you have any questions regarding this alert please contact your
Microsoft representative or 1-866-727-7338 (1-866-PCSafety) within the US,
outside of the US please contact your local Microsoft Subsidiary.

      PSS Security Response Team



Relevant Pages