Skip to main content

Worm.SQL.Helkern (aka SQLSlammer)

25 January 2003

This is extremely small (just 376 bytes) Internet worm that affects Microsoft SQL servers. To get into victim machine the worm uses buffer overrun vulnerability (see below). When the worm code gets into vulnerable SQL server it gets control (by using buffer overrun trick), then gets three Win32...

This is extremely small (just 376 bytes) Internet worm that affects Microsoft SQL Server 2000.
To get into victim machine the worm uses buffer overrun vulnerability (see below).

When the worm code gets into vulnerable SQL server it gets control (by using buffer overrun
trick), then gets three Win32 API functions:

 GetTickCount    (KERNEL32.DLL)
 socket, sendto  (WS2_32.DLL)

The worm then gets random counter by using GetTickCount function and gets into endless
spreading loop. In the spreading loop the worm sends itself to random IP addresses (depending
on the random counter), to MS SQL ports 1434.

The worm sends multicast packets, meaning with only one "send" command hits all the 255
machines in a subnet. As a result this worm is spreading 255 times faster than any other worm
known at the moment.

Because the MS SQL servers are often used on Web this worm may cause global INet DoS attack, because all infected servers will try to connect to other random selected machines in endless loop - and that will cause global INet traffic overflow.

The worm is memory only, and it spreads from infected machine memory to another (victim)
machine memory. The worm does not drop any additional files, and does not manifest itself in
any way.

There are text strings visible in worm code (which are are mix of worm code and data) :

 h.dllhel32hkernQhounthickChGet
 Qh32.dhws2_f
 etQhsockf
 toQhsend


Buffer Overflow
This buffer overrun exploit has following name:

  Unauthenticated Remote Compromise in MS SQL Server 2000

The affected systems are:

 Microsoft SQL Server 2000, all Service Packs

This security breach was found on July 2002 and later fixed in "MS SQL Server 2000" patches.

You may read more about that in:

Microsoft Security Bulletin MS02-039: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp

 NGSSoftware Insight Security Research Advisory: http://www.nextgenss.com/advisories/mssql-udp.txt

The patch for MS SQL Server 2000 is available at: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=40602

 

Worm.SQL.Helkern (aka SQLSlammer)

This is extremely small (just 376 bytes) Internet worm that affects Microsoft SQL servers. To get into victim machine the worm uses buffer overrun vulnerability (see below). When the worm code gets into vulnerable SQL server it gets control (by using buffer overrun trick), then gets three Win32...
Kaspersky logo

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Innovating the industry with a Cyber Immunity approach, Kaspersky safeguards consumers, businesses, critical infrastructure, and governments from cyberthreats, with over a billion devices protected to date.

Kaspersky ensures Cybersecurity True to Business, focusing on providing clear outcomes, protecting revenue, easing workloads and preventing downtime. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services for organizations of every size, from small businesses to large enterprises, combining proven AI-driven protection technologies with simple management and expert support.

Recognized in independent tests and trusted by millions of individuals worldwide and nearly 200,000 organizations, Kaspersky helps detect threats earlier, respond faster and operate with greater confidence and freedom, protecting what matters most to our clients. Learn more at www.kaspersky.com.

Related Articles Press Releases