W32.SQLExp.Worm Removal Tool

The Win32.Worm.SQLExp.Slammer Detection and Removal Tool is a small program that detects and removes worm infections from any machine.

A is an Internet worm that uses a known vulnerability in Microsoft SQL Server to spread. It arrives as a 376-byte malformed packet. It executes itself using a stack overflow vulnerability.

Following the execution of its code, it generates random IP addresses using the GetTickCount function and delivers itself to those addresses through UDP port 1434. Denial of Service is caused by the worm sending itself repeatedly.It will either relocate the file to quarantine, where it cannot propagate or cause harm, or remove it, depending on the settings of your F-Secure protection package. The worm vanishes when the server is restarted since it does not reach the infected computer's disk. If the security problem is not fixed by applying Microsoft patches, the server may become infected again.

This worm only infects systems running Microsoft SQL Server 2000 or MSDE 2000, and not conventional end-user workstations. Because of network sluggishness, end users may only see this worm. This worm isn't a spammer because it doesn't send emails.The worm merely replicates itself in memory and never writes to the hard drive. In this way, it's analogous to the July 2001 Code Red. Because the worm does not infect data, an infected computer can be cleaned simply by rebooting it. If the machine is connected to the network without the necessary MS SQL Server patches installed, it will quickly become infected again.

To exploit a vulnerability, the worm uses UDP port 1434. The worm does not write to the hard drive. It only resides on infected systems as network packets and active programs. Slammer is comparable to CodeRed in this regard. Slammer takes use of a buffer overflow flaw in Microsoft SQL Server 2000. (MS02-039). When the SQL server gets a malicious request, the server's buffer overflow permits the worm code to run.

After the worm has gained access to the susceptible system, it obtains the addresses for certain system functions and begins an indefinite cycle of scanning the Internet for new vulnerable hosts. Slammer initializes its random number generator with the Win32 API's GetTickCount() function. It searches for vulnerable hosts using random numbers as IP addresses.

SQL Slammer was a computer worm that infected several Internet hosts in 2003, causing a denial of service and severely slowing overall Internet traffic.

• Microsoft Biztalk Server
• Microsoft Office XP Developer Edition
• Microsoft Project
• Microsoft SharePoint Portal Server
• Microsoft Visio 2000
• Microsoft Visual FoxPro Microsoft Visual Studio.NET Microsoft .NET Framework SDK Compaq Insight Manager