Hi I have seen very little regarding Slammer on SF so I have roamed the AV sites looking at the various attempts to describe it. I was a little surprised at the variety of descriptions, some of this I put down to it being a weekend. The most disappointing was Sybari (what worm?)
http://www.sophos.com/virusinfo/analyses/w32sqlslama.html Good Description but a little bland http://www.norman.com/virus_info/w32_sqlslammer_a.shtml Poor Description http://www.f-secure.com/v-descs/mssqlm.shtml Excellent Tech Detail ".... The worm code is 376 bytes in size which suggests that is was written and hand optimized using the Assembly language.... ....Sapphire uses GetTickCount() function from the Win32 API to initialize it's random number generator.... Sometimes the random generator returns numbers that are broadcast addresses (eg.: x.y.z.0 or x.y.z.255) causing all the hosts on the particular network to receive the malicious packet. This makes the spreading routine even more aggressive. .. " http://support.ikarus.at/cgi-bin/lexikon/lexikon.pl?language=german&action=n ame&value=I-Worm.SQLSlammer.A@mm good tech detail if you speak German http://vil.nai.com/vil/content/v_99992.htm Best detail (IMHO), good graphic "..... The malformed packet is only 376 bytes long (which is the full worm!) and carries the following strings: "h.dllhel32hkernQhounthickChGetTf", "hws2", "Qhsockf" and "toQhsend".....". http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html great Detail especially for how to utilise other symantec products eg Manhunt "...... alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"W32.SQLEXP.Worm propagation"; content:"|68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E|"; content:"|04|"; offset:0; depth:1;)......" http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SQLP143 4.A Bland Detail http://www3.ca.com/solutions/collateral.asp?CT=27081&CID=39147 Another Bland one, though links to their IDS signatures It's worth checking around the various sites to see which you prefer, noting the URLs for the next time the S*** hits the fan. I would recommend having the "Emergency" alerts fed through to my mobile phone, I was a little disappointed in Sophos outputting theirs at 1349 some 4 hours after other mailing lists were starting to twitch. Having said that I still haven't seen some of the other alerts at all and the Sophos has been very much on the ball in the past ie Nimda. Take care -andy Taliskers Network Security Tools http://www.networkintrusion.co.uk