FIX: W32.Slammer worm exploits MSDE 2000 vulnerability in Application Center 2000

A denial of service may occur in an Application Center 2000 (AC2000) cluster if members become infected with the W32.Slammer worm because of a vulnerability in the Microsoft SQL Server Desktop Engine (MSDE 2000).

The W32.Slammer worm causes a denial of service because it floods the network with UDP packets over port 1434.

Service pack information

Application Center 2000 Service Pack 2 contains MSDE Service Pack 3a, which includes all the security patches that are available at the time of release. To resolve this problem, obtain the latest service pack for Application Center 2000. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Hotfix information

Important Application Center Server 2000 uses a specialized version of MSDE 2000. These instructions are for Application Center Server 2000 only.

Important If your AC2000 systems are currently infected with W32.Slammer or are connected to a network that may have other systems infected with W32.Slammer, please download the SQL Critical Update hotfix which is part of the SQL Security Tools available from the following Microsoft Web site:Run the appropriate sqlhotfixpkg on your AC2000 systems before proceeding with the instructions below. Applying sqlhotfixpkg will NOT upgrade your system to MSDE Service Pack 2 (SP2), nor will it permit you to apply the post SP2 MSDE security bulletins that address vulnerabilities other than W32.Slammer, nor will it allow you to apply any security bulletins that may be released in the future.

For this reason we recommend that you complete the MSDE SP2 upgrade and Microsoft Security Bulletin MS02-061 (MS02-061) security rollup fix as described in this document.

Important The procedures below will render your Application Center 2000 systems vulnerable to the W32.Slammer worm while you are applying the upgrade and fix. You should have all the resources you need to complete the upgrade available locally on the server and then disconnect the server from the network while you upgrade to MSDE SP2 and MS02-061.

Important Your Application Center Servers must be at Application Center 2000 Service Pack 1 (SP1) in order to apply the procedures below. You can get SP1 from the following Microsoft Web site:Important MSDE SP2, otherwise known as OFE813058.EXE, has been re-issued with this revision of this document. The first version of QFE813058.EXE was incompatible with MS02-061. If you downloaded and applied QFE813058.EXE before you downloaded this document, you should follow the “Installation instructions for systems that have had QFE813058.EXE applied already”. If you have any doubt about what version of QFE813058.EXE you have applied you should also follow the “Installation instructions for systems that have had QFE813058.EXE applied already” as they will work with either version of QFE813058.exe

To resolve this problem, you must obtain the following fixes:

• QFE813058.EXE, available from the Application Center 2000: MSDE 2000 SP2 download, available from the following the following Microsoft Web site:
  http://technet.microsoft.com/en-us/library/bb734930.aspx (http://technet.microsoft.com/en-us/library/bb734930.aspx)
  Note English and Japanese versions are available from this web site.

• Fixes described in the following Microsoft Security Bulletin MS02-61:
  http://www.microsoft.com/technet/security/bulletin/MS02-061.mspx (http://www.microsoft.com/technet/security/bulletin/MS02-061.mspx)
  Or as part of the SQL Server 2000 Security Tools from the following Web site:
  http://www.microsoft.com/downloads/details.aspx?FamilyId=9552D43B-04EB-4AF9-9E24-6CDE4D933600&displaylang=en (http://www.microsoft.com/downloads/details.aspx?FamilyId=9552D43B-04EB-4AF9-9E24-6CDE4D933600&displaylang=en)

You may also need to have your Application Center 2000 installation media available when you run QFE813058.EXE.

Important If you see dialog boxes that notify you of problems running SQL scripts during the upgrade process, see the following article in the Microsoft Knowledge base:

Installation instructions

For single member clusters that have NOT had QFE813058.EXE applied already

1. Right-click the Events node in the Application Center 2000 MMC, and then click Properties. Note the current values, and then make the following settings:
   1. Set logging levels to none for Application Center, for Windows, and for Health Monitor.
   2. Clear the Log performance data check box.
2. Close the MMC.
3. Disconnect your server from the network to prevent re-infection during the upgrade process.
4. Click Start, point to Programs, click Administrative Tools, and then click Services. Start the following services, if necessary:
   • SQLAgent$MSAC
   • MSSQL$MSAC
5. Install QFE813058.EXE (MSDE Service Pack 2 for Application Center) by running QFE813058.exe.
6. Install Security Bulletin MS02-061, as described earlier.
7. Reconnect your server to the network.
8. Restore the event and performance logging options that you changed in step 2.

For clusters with more than one member that have NOT had QFE813058.EXE applied already

1. Remove a member server from the cluster.
2. Disconnect it from the network.
3. Click Start, point to Programs, click Administrative Tools, and then click Services. Start the following services, if necessary:
   • SQLAgent$MSAC
   • MSSQL$MSAC
4. Install Hotfix 813058 (MSDE Service Pack 2 for Application Center) by running QFE813058.exe.
5. Install Security Bulletin MS02-061, as described earlier.
6. Reconnect the server to the network.
7. Rejoin the cluster.
8. Promote the newly patched member to a controller.
9. Repeat steps 1 through 7 on the remaining members.

For any Application Center 2000 servers that have had QFE813058.EXE applied already

1. Set the cluster member server offline.
2. Disconnect the cluster member server from the network.
3. Click Start, point to Programs, click Administrative Tools, and then click Services. Start the following services, if necessary:
   • SQLAgent$MSAC
   • MSSQL$MSAC
4. Type or cut and paste the following lines into a file C:\FixUp813058.cmd.
   • Make sure that your browser window is wide enough that you only see 21 lines of text.
   • Make sure there are no spaces at the beginning of the lines.

    
   @echo off
   OSQL -S .\MSAC -E -Q"EXIT(select sign(charindex('8.00.534',@@version))+1)"
   IF ERRORLEVEL 3 GOTO FINISH
   IF ERRORLEVEL 2 GOTO FIXREG 
   ECHO Not an SP2 instance...quitting
   GOTO FINISH 
   :FIXREG
   echo Windows Registry Editor Version 5.00 > c:\fixmsdesp2.reg
   echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSAC\MSSQLServer\CurrentVersion] >> c:\fixmsdesp2.reg
   echo "CSDVersionNumber"=dword:00000200 >> c:\fixmsdesp2.reg 
   echo "CSDVersion"="8.00.534" >> c:\fixmsdesp2.reg
   regedit -s c:\fixmsdesp2.reg 
   IF ERRORLEVEL 1 GOTO REGERROR 
   del c:\fixmsdesp2.reg
   echo Registry successfully updated 
   OSQL -S .\MSAC -E -Q "sp_configure 'MAX SERVER MEMORY',64" 
   OSQL -S .\MSAC -E -Q "reconfigure with override"
   GOTO FINISH
   :REGERROR 
   echo Error updating the registry
   :FINISH  

5. Run C:\FixUp813058.cmd on the member
6. Install MS02-061.
7. Reconnect the server to the network.
8. Set the server online.

To work around this problem in cases where you cannot obtain the SQL Critical Update, disable and stop MSDE 2000 all members:

1. Before you disable and stop MSDE 2000 all members, record the service startup type setting so that it can be restored when you are ready to apply the QFE813058.EXE upgrade.
2. Disable and stop SQL Server 2000 Desktop Engine services:
   • For the MSSQL$MSAC service, follow these steps:
     1. Click Start, point to Programs, point to Administrative Tools, and then click Services.
     2. Right-click the MSSQL$MSAC service, select startup type Disabled, click Apply, and then click Stop.
   • For the SQLAgent$MSAC service, follow these steps:
     1. Click Start, point to Programs, point to Administrative Tools, and then click Services.
     2. Right-click the SQLAgent$MSAC service, select startup type Disabled, click Apply, and then click Stop.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.