Home

W32SQLSlammerWorm

W32.SQLSlammer.Worm, commonly referred to as SQL Slammer, Sapphire, or by its antivirus name W32.SQLSlammer.Worm, was a fast-spreading computer worm that emerged in 2003. It targeted Microsoft SQL Server 2000 installations by exploiting a vulnerability in the SQL Server Resolution Service accessible via UDP port 1434. The worm is notable for its extremely compact size and rapid propagation.

The outbreak began on January 25, 2003, and the worm spread by scanning random Internet addresses and

Impact and scope of the incident were substantial. The rapid spread caused significant network congestion and

Mitigation and remediation involved applying a security patch from Microsoft (MS03-039) that fixed the underlying vulnerability,

sending
a
single,
small
UDP
packet
to
any
vulnerable
SQL
Server
instance.
The
payload,
about
376
bytes
in
size,
exploited
a
buffer
overflow
in
the
Resolution
Service,
causing
infected
hosts
to
launch
new
copies
of
the
worm.
Because
the
worm
required
no
user
interaction,
it
propagated
autonomously
and
very
quickly.
load,
affecting
Internet
backbone
traffic
and
many
corporate
networks.
Estimates
of
infected
hosts
vary,
but
the
outbreak
is
cited
as
infecting
tens
of
thousands
of
machines
within
minutes,
contributing
to
widespread
performance
degradation
and
outages
in
some
environments.
as
well
as
strengthening
network
defenses.
Administrators
were
advised
to
patch
affected
systems,
block
UDP
traffic
to
port
1434
where
feasible,
disable
the
SQL
Server
Resolution
Service
if
it
was
not
needed,
and
ensure
updated
antivirus
signatures
were
in
place.
The
SQL
Slammer
incident
underscored
the
importance
of
timely
patch
management
and
network-level
protections
against
fast-spreading,
small-scale
exploits.