AppDetective™ Update 3.0.9 - 27 January 2003

NEW CHECK for Microsoft SQL Server

NOTE: Team SHATTER Security Alert

Title
Slammer/Sapphire worm

Description
Check if the server is vulnerable to the Slammer worm

Summary
A worm is currently attacking unpatched SQL Server 2000 installations over the Internet.

Microsoft SQL Server supports many different network libraries and provides the capability to listen on multiple connection points. These connection points are often assigned by SQL Server dynamically. In order for a client to determine which connection points are available, SQL Server provides a resolution service. This resolution service listens for requests on UDP port 1434.

This buffer overflow is being used by the Slammer worm to take control of the server and then the worm uses the SQL Server to propagate to other SQL Servers. No destructive payload exists in the worm, but the worm results in a denial of service attack because an infect server consumes a large amount of network bandwidth attempting to propagate.