I think I figure out why my Yahoo accounts are being blocked.
Can Avast! pick up this worm? Or is it hiding which Avast! can’t detect?
Also Known As: SQL Slammer Worm [ISS], DDOS.SQLP1434.A [Trend], W32/SQLSlammer [McAfee], Slammer [F-Secure], Sapphire [eEye], W32/SQLSlam-A [Sophos]
Type: Worm
Infection Length: 376 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX, Windows 3.x
CVE References: CAN-2002-0649
Threat Assessment
Wild
Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: High
Threat containment: Easy
Removal: Easy
Damage
Payload:
Degrades performance: May affect network availability
Distribution
Technical Details
Ports: UDP port 1434. The worm continuously sends traffic to randomly generated IP addresses, attempting to send itself to hosts running the Microsoft SQL Server Resolution Service, and that, therefore listens on that particular port.
When W32.SQLExp.Worm attacks a vulnerable system, it does the following:
Sends itself to the SQL Server Resolution Service, which listens on UDP port 1434.
Takes advantage of a buffer overflow vulnerability that allows a portion of system memory to be overwritten. When the worm does this, it runs in the same security context as the SQL Server service.
Calls the Windows API function, GetTickCount, and uses the result as a seed to randomly generate IP addresses.
Opens a socket on the infected computer and attempts to repeatedly send itself to UDP port 1434 on the IP addresses it has generated, by using an ephemeral source port. Because the worm does not selectively attack the hosts in the local subnet, large amounts of traffic are the result.