SQL Server Infected by SQL Slammer Virus

SQL Server Infected by SQL Slammer Virus

Post by Aramis Sal » Fri, 11 Jul 2003 07:42:37


My SQL 2000 server was infected by the SQL Slammer virus.
I have installed service pack 3 and have also installed
the Critical Updates Tool kit for SQL 2000.

I also installed the MS Security Bulleting MS02-061, have
followed all the steps microsoft sugest, but still can't
remove the virus.

I have tried with the "BullGuard" and "Stinger 1.7"
tools, also the FixSQLex from Symantec, but none of them
have removed the virus.

Apperently the server was infected last July 8th.

I don't know if this is a recent version from the virus.

Can anyone help me on this?

Aramis...
 
 
 

SQL Server Infected by SQL Slammer Virus

Post by Don Dumitr » Fri, 11 Jul 2003 08:09:35

It's difficult to diagnose what is happening, based on the information you
have given. For example, why do you believe that you even have a virus on
your SQL Server? What symptoms are you seeing? With that information, we
can hopefully narrow down the possibilities.

That said, let me specifically address the SQL Slammer worm. "Slammer" is a
strictly memory-resident worm, so rebooting a machine infected with the worm
will remove the worm - until the machine gets reinfected again. It is a
small worm that exploits a buffer over run in the locator service of SQL
Server, and hijacks that service to send copies of itself out to the network
in order to infect other machines. SQL Slammer does not write anything to
the disk, and does not install any backdoors. Rebooting (or simply stopping
SQL Server, if SQL Server is responsive enough to be stopped - the worm uses
so much CPU that SQL Server might not respond to a stop request) will get
rid of the worm - until re-infection occurs. The recommended way to prevent
getting infected again is to install SQL Server SP3.

Assuming that it *is* the actual SQL Slammer worm, the resources at
http://www.yqcomputer.com/
will hopefully help you.

One possibility is that you *do* have the SQL Slammer worm, and that you
have multiple instances of SQL Server installed on your machine. For
example, you might have both SQL Server, and MSDE, both installed on the
same machine. In that case, you would need to apply SQL Server SP3, as well
as the service pack for MSDE. If you only patched SQL Server, then the MSDE
instance on your machine could still be vulnerable. The assessment tool
( http://www.yqcomputer.com/
/tools/chklist/SVAtool.asp) can tell you how many instances of SQL Server
are on your machine, and which are vulnerable. The update wizard
( http://www.yqcomputer.com/
-9e87-8fd78aeee64f&DisplayLang=en) will apply hotfixes to instances that are
vulnerable.

And finally... I am still not sure, from the information you have given,
that you are even suffering from the SQL Slammer worm. It would help if you
could use the assessment tool to determine if the machine is vulnerable, and
it would also help if you could post additional information about what
symptoms you are seeing.

--Don

--
This posting is provided "AS IS" with no warranties, and confers no rights.