Related Resources • Virus Encyclopedia • Glossary of terms

Elsewhere on the Web • F-Secure Description • Bugtraq Archive

An Internet worm exploiting vulnerabilities in certain versions of Microsoft SQL Server and MSDE began hammering UDP port 1434 before midnight on Friday, January 24th, 2003. Dubbed Sapphire by some antivirus vendors and Slammer by others, the worm resulted in massive packet loss throughout the web causing severe latency and, in some cases, made certain sites completely inaccessible depending on the ISP being used. Because the worm affected unpatched versions of Microsoft SQL server and desktops with MSDE installed, download servers from Microsoft were temporarily overcome by traffic as administrators flocked to the site to obtain the necessary patches.

One of the earliest reports of the worm was posted to a military.com forum on Friday evening, noting that "As many as 5 of the 13 root nameserver have been down, up to 10 with massive packet loss..." A few hours later, a similar report appeared on TruSecure's NTBugtraq, which also pegged the trouble as having begun about 9:30 p.m. PST and stating that "the compromised boxes/worms generated more than 80Mbit of outgoing traffic" and "about 40% of the sampled sites were down." It was not until after 7:00 a.m. on Saturday that reports to Symantec's SecurityFocus Bugtraq began appearing.

The Slammer worm arrived on the heels of Bill Gates' January 23 email, titled "Security in a Connected World", in which Mr. Gates discusses the advancements made by Microsoft as part of their Trustworthy Computing initiative. In the email Gates declared, "The scope of our security reviews represents an unprecedented level of effort for software manufacturers, and it's begun to pay off as vulnerabilities are eliminated through offerings like Windows XP Service Pack 1. We also put Visual Studio .NET through an incredibly vigorous design review, threat modeling and security push..." Ironically, Visual Studio .NET is one of the Microsoft products exploited by the Slammer/Sapphire worm.

As with Code Red, the worm spreads as an in-memory process only and not as a file, thus an infected system can be "cleaned" simply by rebooting. However, the machine will quickly become reinfected once reconnected to the Internet, unless properly patched to prevent it. The worm indiscriminately searches IP ranges looking for vulnerable machines, thus even non-SQL/MSDE systems could be affected by the large number of ping requests. The worm infects only systems running one of the following:

Microsoft SQL Server 7.0
Microsoft Data Engine (MSDE) 1.0,
Microsoft SQL Server 2000
Microsoft Desktop Engine (MSDE) 2000*

*MSDE may be installed by a wide range of products. SQLSecurity.com provides a list of these MSDE-enabled products.

Sapphire/Slammer can be prevented by applying the appropriate Microsoft patches. These are:

MS02-039 (Released July 2002)
MS02-061 (Released October 2002 and Re-Released Jan 2003)