A devastating virus struck the Internet Friday (1/24/03) causing symptoms in networks that appear to be denial of service attacks (DOS). The worm is spreading using an exploit that was found and patched in SQL Server 2000 in July. The exploit is a vulnerability where SQL Server doesn’t handle data sent to it properly causing a buffer overflow error. The attacker then is given elevated permissions and can then launch further attacks. In this case, the attacker is a virus called Sapphire and it then begins to launch attacks similar to Red Alert from your SQL Server.
The worm does not create any backdoors in your system once it’s infected but will create a denial of service attack against your network as it tries to find other servers to infect. It has already brought down many networks this weekend. Starting and stopping SQL Server should flush your buffer pool and allow your server to perform normally.
It’s important to note that this virus isn’t related to the earlier virus that preyed on systems that didn’t have an SA password set. This is much more like the Code Red virus where it preys on a SQL Server vulnerability. Microsoft has had a fix out for this since July of last year and if you have installed the recent cumulative patch or SQL Server 2000 SP3, you are safe.
If you want to download the standalone patch for this problem, you can download it at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp
Before you install the patch though, ensure that you don’t already have it, or a later patch installed by running SELECT @@VERSION in Query Analyzer. If you see version 2000.800.636 or later, then you should be safe if it was installed properly. The best solution to protect you from this and future bugs like this is to install service pack 3 for SQL Server, which can be downloaded at: http://www.microsoft.com/sql/downloads/2000/sp3.asp.
The bad thing about this virus is how quickly it propagated and how much more damage it could have done if it were one that planted backdoors on your system.