Commentary

The Windows SQL Server "buffer overflow" vulnerability being exploited by this worm
has been known for six months. Security patches and updates have been available since
it's public disclosure. Therefore, only machines that are not kept up to date with current
security patches and service packs are vulnerable to infection. On his page, Robert
Graham presents an extremely compelling argument for the practical impossibility of
ever achieving total patching of vulnerable machines.

eEye's and other analysis of the worm's payload indicates that, unlike the previous
CodeRed and Nimda worms, this worm's only agenda is self replication. (Which it
pursues with significant gusto.)

Since the worm lives only in the system's RAM memory and does not modify any system
files, "disinfection" of an infected system is as simple as a system reboot.

It is somewhat intriguing that every worm packet probe emitted contained a complete
self-replicating-capable copy of the entire worm. Thanks to the worm's use of the
"connectionless" UDP protocol, the receipt of a single packet was all that was necessary.

We are fortunate that the worm spreads by UDP protocol over port 1434, because this
traffic can be readily filtered and blocked at any level of the Internet without negative
side effects. This was not the case, for example, with the previous Code Red and Nimda
worms which used standard web TCP protocol and ports and could not, therefore, be
blocked without blocking all other web traffic.