GEN:SID 1:2003
Message MS-SQL Worm propagation attempt
Summary This event is generated when an attempt is made by the "Slammer" worm to compromise a Microsoft SQL Server.
Impact A worm targeting a vulnerability in the MS SQL Server 2000 Resolution
Service was released on January 25th, 2003.  The worm attempts to
exploit a buffer overflow in the Resolution Service.  Because of the
nature of the vulnerability, the worm is able to attempt to compromise
other machines very rapidly.
Detailed Information The Monitor Service provided by MS SQL and MSDE uses unchecked client
provided data in an SQL version check function.

The worm attempts to exploit a buffer overflow in this version request.
If the worm sends too many bytes in the request that triggers the
version check, then a buffer overflow condition is triggered resulting
in a potential compromise of the SQL Server.
Affected Systems This vulnerability is present in unpatched MS SQL Servers.  The following unpatched services containing MS SQL or Microsoft Desktop Engine (MSDE) may potentially be compromised by this worm:

* SQL Server 2000 (Developer, Standard, and Enterprise Editions)
* Visual Studio .NET (Architect, Developer, and Professional Editions)
* ASP.NET Web Matrix Tool
* Office XP Developer Edition
* MSDN Universal and Enterprise subscriptions
Attack Scenarios This is worm activity.
Ease of Attack Exploits for this vulnerability have been publicly published.

A worm has been written that automatically exploits this vulnerability.
Corrective Action Block external access to the MS SQL services on port 1433 and 1434 if
possible.

Patches from Microsoft are available that fix this vulnerability.  The
patches are available from

www.microsoft.com/technet/security/bulletin/MS02-039.asp
Additional References  
Rule References bugtraq: 5310
bugtraq: 5311
cve: 2002-0649
nessus: 11214
url: vil.nai.com/vil/content/v_99992.htm