Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!


From Malware Wiki
Jump to: navigation, search
TypeInternet Worm
Programming LanguageAssembly
PlatformMicrosoft Windows
File TypeUDP Packet
Size200,000 computers
Damage costs$1.2 billion
This box: view  talk  edit

Slammer (also known as Sapphire, Helkern or SQLExp) was a worm on Microsoft Windows that appeared in 2003 January and was the fastest-spreading worm of its time. The worm was an extremely simple piece of code and its payload was an unintended byproduct of its spreading ability. It was also able to take down South Korea's internet for 12 hours.


Slammer on the infecting computer sends a UDP datagram to port 1434 on the target. The datagram exploits a buffer overflow vulnerability in the SQL Server Monitor that overwrites the stack and executes the rest of the exploit. When it is in the target's memory it begins sending datagrams of its exploit and worm code to random IP addresses to infect new targets.

Slammer exists entirely in the computer's memory. At no point does it save itself to any disk. It makes no changes to the system at all. These facts make removal of the worm as easy as shutting the system down.


Taking 15 minutes to spread worldwide, the SQL Slammer worm was one of the largest and fastest spreading worms ever. For this reason, some have described Slammer as the first "Warhol worm" (had its 15 minutes of fame), a fast-propagating Internet worm hypothesized in 2002 in a paper by Nicholas Weaver.

Slammer spread to over 90 percent of all vulnerable hosts in 10 minutes and infected around 359,000 computers total. Its population doubling time was about 37 minutes. 5 of the Internet's 13 root DNS servers went down and about 10 of them experienced massive packet loss due to the amount of bandwidth the worm consumed. London-based market intelligence firm Mi2g said that the worm caused between $950 million and $1.2 billion in lost productivity in its first five days worldwide.

In the United States, Windows XP activation servers in Redmond, Washington were taken offline. Continental Airlines resorted to pens and paper to record reservations and tickets. The airline had to delay and cancel some flights, though no delays lasted more than 30 minutes.

Banks in the US and Canada were hit hard. A majority of Bank of America's ATMs were rendered useless and while most were running by the evening, some customers reported being unable to use them well into the next day. Washington Mutual's ATMs and other bank services were unavailable for most of the day. Customers of the Canadian Imperial Bank of Commerce in Toronto were unable to withdraw money using ATMs.

The U.S. departments of State, Agriculture, Commerce and Defense were infected with the worm. The Emergency 911 network was down for some time.

Some Associated Press news services were interrupted. The Atlanta Journal-Constitution computer network was infected, forcing the paper to delay the publication of the Sunday first edition and delaying updates of the paper's Web site. The Philadelphia Inquirer had already printed its early Sunday edition before the worm hit, that paper was also hit by the worm.

South Korea was particularly hit hard by the worm. The Korean media claimed that the entire Internet infrastructure was knocked out and that billions of Won were lost. Customers of the ISP KT Freetel Corp and SK Telecom lost their internet connections.

In Portugal, more than 300,000 customers of Cable ISP Netcabo lost internet access.


Czech police believe that Benny of the virus magazine 29A was responsible for the worm. This is unlikely, as most 29A members do not release their viruses into the wild and only write viruses to explore new concepts and test coding abilities. It is possible though, that the worm may come from Benny's code, but was compiled by another person who released it, since 29A members regularly post their source code on sites for anyone to read.


Jensenne Roculan, Sean Hittel, Daniel Hanson, Jason V. Miller, Bartek Kostanecki, Jesse Gough, Mario van Velzen, Oliver Friedrichs. DeepSight(tm) Threat Management System Threat Analysis, SQLExp SQL Server Worm Analysis. 2003.01.28

David Moore, Vern Paxson, Colleen Shannon, Stuart Staniford, Nicholas Weaver Inside the Slammer Worm. 2003

John Leyden. The Register, ATMs, ISPs hit by Slammer worm spread 2003.01.27

-. -, SQL worm slams the Net. 2003.01.27

Daniel Sieberg, Dana Bash. CNN Technology, Computer worm grounds flights, blocks ATMs. 2003.01.26

Arirang TV, Chosun Ilbo, No Major Incidents After Internet Disruptions. 2003.01.27

Robert Lemos. CNet News, "Counting the cost of Slammer" 2003.01.31

-. -, "'Slammer' attacks may become way of life for Net" 2003.02.06

Dan Ilett. Silicon.com, "Police quiz ex-virus writer in Slammer investigation" 2004.11.29