Microsoft KB Archive/813115

= FIX: W32.Slammer worm exploits MSDE 2000 vulnerability in Application Center 2000 =

Article ID: 813115

Article Last Modified on 11/21/2006

-

APPLIES TO


 * Microsoft Application Center 2000 Standard Edition

-



SUMMARY
A denial of service may occur in an Application Center 2000 (AC2000) cluster if members become infected with the W32.Slammer worm because of a vulnerability in the Microsoft SQL Server Desktop Engine (MSDE 2000).



CAUSE
The W32.Slammer worm causes a denial of service because it floods the network with UDP packets over port 1434.



Service pack information
Application Center 2000 Service Pack 2 contains MSDE Service Pack 3a, which includes all the security patches that are available at the time of release. To resolve this problem, obtain the latest service pack for Application Center 2000. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

309384 How to obtain the latest Application Center 2000 service pack

Hotfix information
Important Application Center Server 2000 uses a specialized version of MSDE 2000. These instructions are for Application Center Server 2000 only.

Important If your AC2000 systems are currently infected with W32.Slammer or are connected to a network that may have other systems infected with W32.Slammer, please download the SQL Critical Update hotfix which is part of the SQL Security Tools available from the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyId=9552D43B-04EB-4AF9-9E24-6CDE4D933600&displaylang=en

Run the appropriate sqlhotfixpkg on your AC2000 systems before proceeding with the instructions below. Applying sqlhotfixpkg will NOT upgrade your system to MSDE Service Pack 2 (SP2), nor will it permit you to apply the post SP2 MSDE security bulletins that address vulnerabilities other than W32.Slammer, nor will it allow you to apply any security bulletins that may be released in the future.

For this reason we recommend that you complete the MSDE SP2 upgrade and Microsoft Security Bulletin MS02-061 (MS02-061) security rollup fix as described in this document.

Important The procedures below will render your Application Center 2000 systems vulnerable to the W32.Slammer worm while you are applying the upgrade and fix. You should have all the resources you need to complete the upgrade available locally on the server and then disconnect the server from the network while you upgrade to MSDE SP2 and MS02-061.

Important Your Application Center Servers must be at Application Center 2000 Service Pack 1 (SP1) in order to apply the procedures below. You can get SP1 from the following Microsoft Web site:

http://www.microsoft.com/applicationcenter/downloads/sp1.mspx

Important MSDE SP2, otherwise known as OFE813058.EXE, has been re-issued with this revision of this document. The first version of QFE813058.EXE was incompatible with MS02-061. If you downloaded and applied QFE813058.EXE before you downloaded this document, you should follow the “Installation instructions for systems that have had QFE813058.EXE applied already”. If you have any doubt about what version of QFE813058.EXE you have applied you should also follow the “Installation instructions for systems that have had QFE813058.EXE applied already” as they will work with either version of QFE813058.exe

To resolve this problem, you must obtain the following fixes:  QFE813058.EXE, available from the Application Center 2000: MSDE 2000 SP2 download, available from the following the following Microsoft Web site:

http://www.microsoft.com/applicationcenter/downloads/slammer.mspx

Note English and Japanese versions are available from this web site.

 Fixes described in the following Microsoft Security Bulletin MS02-61:

http://www.microsoft.com/technet/security/bulletin/MS02-061.mspx

Or as part of the SQL Server 2000 Security Tools from the following Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyId=9552D43B-04EB-4AF9-9E24-6CDE4D933600&displaylang=en



You may also need to have your Application Center 2000 installation media available when you run QFE813058.EXE.

Important If you see dialog boxes that notify you of problems running SQL scripts during the upgrade process, see the following article in the Microsoft Knowledge base:

814022 Application Center 2000 MSDE SP2 upgrade displays &quot;Unable to run SQL Script&quot; or MS02-061 displays &quot;Error running SQL Script&quot; dialog box

For single member clusters that have NOT had QFE813058.EXE applied already
 Right-click the Events node in the Application Center 2000 MMC, and then click Properties. Note the current values, and then make the following settings:  Set logging levels to none for Application Center, for Windows, and for Health Monitor. Clear the Log performance data check box.</li></ol> </li> Close the MMC.</li> Disconnect your server from the network to prevent re-infection during the upgrade process.</li> Click Start, point to Programs, click Administrative Tools, and then click Services. Start the following services, if necessary:  SQLAgent$MSAC</li> MSSQL$MSAC</li></ul> </li> Install QFE813058.EXE (MSDE Service Pack 2 for Application Center) by running QFE813058.exe.</li> Install Security Bulletin MS02-061, as described earlier.</li> Reconnect your server to the network.</li> Restore the event and performance logging options that you changed in step 2.</li></ol>

For clusters with more than one member that have NOT had QFE813058.EXE applied already

 * 1) Remove a member server from the cluster.
 * 2) Disconnect it from the network.
 * 3) Click Start, point to Programs, click Administrative Tools, and then click Services. Start the following services, if necessary:
 * 4) * SQLAgent$MSAC
 * 5) * MSSQL$MSAC
 * 6) Install Hotfix 813058 (MSDE Service Pack 2 for Application Center) by running QFE813058.exe.
 * 7) Install Security Bulletin MS02-061, as described earlier.
 * 8) Reconnect the server to the network.
 * 9) Rejoin the cluster.
 * 10) Promote the newly patched member to a controller.
 * 11) Repeat steps 1 through 7 on the remaining members.

For any Application Center 2000 servers that have had QFE813058.EXE applied already
<ol> Set the cluster member server offline.</li> Disconnect the cluster member server from the network.</li> Click Start, point to Programs, click Administrative Tools, and then click Services. Start the following services, if necessary:  SQLAgent$MSAC</li> <li>MSSQL$MSAC</li></ul> </li> <li> Type or cut and paste the following lines into a file C:\FixUp813058.cmd. <ul> <li>Make sure that your browser window is wide enough that you only see 21 lines of text.</li> <li>Make sure there are no spaces at the beginning of the lines.</li></ul>

@echo off OSQL -S .\MSAC -E -Q&quot;EXIT(select sign(charindex('8.00.534',@@version))+1)&quot; IF ERRORLEVEL 3 GOTO FINISH IF ERRORLEVEL 2 GOTO FIXREG ECHO Not an SP2 instance...quitting GOTO FINISH
 * FIXREG

echo Windows Registry Editor Version 5.00 > c:\fixmsdesp2.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSAC\MSSQLServer\CurrentVersion] >> c:\fixmsdesp2.reg echo &quot;CSDVersionNumber&quot;=dword:00000200 >> c:\fixmsdesp2.reg echo &quot;CSDVersion&quot;=&quot;8.00.534&quot; >> c:\fixmsdesp2.reg regedit -s c:\fixmsdesp2.reg IF ERRORLEVEL 1 GOTO REGERROR del c:\fixmsdesp2.reg echo Registry successfully updated OSQL -S .\MSAC -E -Q &quot;sp_configure 'MAX SERVER MEMORY',64&quot; OSQL -S .\MSAC -E -Q &quot;reconfigure with override&quot; GOTO FINISH
 * REGERROR

echo Error updating the registry
 * FINISH </li>

<li>Run C:\FixUp813058.cmd on the member</li> <li>Install MS02-061.</li> <li>Reconnect the server to the network.</li> <li>Set the server online.</li></ol>

<div class="workaround_section">

WORKAROUND
To work around this problem in cases where you cannot obtain the SQL Critical Update, disable and stop MSDE 2000 all members: <ol> <li>Before you disable and stop MSDE 2000 all members, record the service startup type setting so that it can be restored when you are ready to apply the QFE813058.EXE upgrade.</li> <li>Disable and stop SQL Server 2000 Desktop Engine services: <ul> <li>For the MSSQL$MSAC service, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Click Start, point to Programs, point to Administrative Tools, and then click Services.</li> <li>Right-click the MSSQL$MSAC service, select startup type Disabled, click Apply, and then click Stop.</li></ol> </li> <li>For the SQLAgent$MSAC service, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Click Start, point to Programs, point to Administrative Tools, and then click Services.</li> <li>Right-click the SQLAgent$MSAC service, select startup type Disabled, click Apply, and then click Stop.</li></ol> </li></ul> </li></ol>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

Additional query words: DoS denial of service attack DDOS.SQLP1434.A W32/SQLSlammer Sapphire W32/SQLSlam-A W32.SQLExp.Worm

Keywords: KB813115

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.