Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Worm Win32/SQL.Slammer

Aliases: W32.SQLExp.Worm, Worm.SQL.Helkern

The worm spreads on PCs running unpatched Microsoft SQL Servers only. It stores no data on the computer disk nor does it change any files therein. A system is attacked by UDP packet 376 bytes long received on port 1434 which is used by the SQL server. The packet exploits a buffer overflow for its activation. The worm on an infected system continually sends its body to the randomly generated IP addresses through UDP port 1434. As a result a big increase of the network traffic can be observed. The worm doesn't have any other destructive effects.

Detailed description of the exploited vulnerability can be found at: The disinfection of an infected system can be performed by rebooting the computer followed by installation of the service pack (SP3) available
at: The patch can also be downloaded at