SQL Slammer found in firewall log

[safe1]

Hello,
Everytime I do a thorough scan I always get a warning that the SQL Slammer virus was found in my mcafee firewall log, and I immediately delete it.

I really don't think I have the SQL server; especially after searching for "sqlservr.exe as instructed by microsoft bulletin MS02061, no files were found. I'm not even sure what the heck SQL server is.

The file location is always C:\Windows\Program Files\Mcafee\
Firewall\Data\Log file with the current date.

Could this possibly be a false positive? If I just do a quick scan it does not show up; but if I go directly to that file and right click to scan, the warning pops up.

Please let me know what to do.
Thanks alot,

safe1

Btw: I have windows 98SE with mcafee firewall 4.

[CharleyO]

***

Welcome to the forums, safe1.   

Well, until I went looking, I did not realize SQL server would run on W98SE.
BUT, in a limited way, it even runs on W95.   

http://www.microsoft.com/sql/prodinfo/previousversions/system-requirements.mspx

I have no idea why this worm is showing up in your firewall logs but then I have never used McAfee's firewall and know nothing about it. Hopefully, someone here can help you with this.


***

[DavidR]

Well you should test it using a multi engine scanner and if a false positive, exclude it from scans and more importantly send a sample to avast.

You can check the offending/suspect file at: Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.
Or VirusTotal - Multi engine on-line virus scanner

If you are getting a virus warning that you believe is a false positive, then if you can zip and password protect ('virus', will do) the suspect file and send it to virus @ avast.com (no spaces), or send from the chest.

Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a false positive and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and check scan it periodically using the ashQuick scan (right click scan), when it is no longer detected then remove it from the exclusions.
Also see (Mini Sticky) False Positives

[safe1]

Hello everyone,

I just sent the file to VirusTotal-Multi engine-on-line virus scanner, and will be notified by email. I'm hoping it's a false positive, since I'm really not sure how to deal with patching SQL, or if I even have it. I know I don't use it if I do have it. I looked in my control panel to see if it's an installed program and it does not show up.

I'll let everyone know what the analysis states once I receive it.
Thanks for all the help!!

safe1

[DavidR]

You should be able to get an on-line result when you upload to the site, rather than send the file by email.

By clicking the Browse button at the top of the page you can select the file from your HDD and click send to upload it for checking.

[safe1]

Hello David,
I got my results back, and great news!! Nothing was found, so I'm assuming it is a false positive.

The really wierd thing is that Avast, on the report, showed nothing found. Wonder why my avast detects it as a virus. I always check for updates daily on the dats as well as the program.


Scan results
 File: 04122006.log
 Date: 04/12/2006 21:50:33 (CET)
----
AntiVir   6.34.0.24/20060412   found nothing
Avast   4.6.695.0/20060403   found nothing
AVG   386/20060412   found nothing
Avira   6.34.0.56/20060412   found nothing
BitDefender   7.2/20060412   found nothing
CAT-QuickHeal   8.00/20060412   found nothing
ClamAV   devel-20060202/20060412   found nothing
DrWeb    4.33/20060412   found nothing
eTrust-InoculateIT   23.71.127/20060412   found nothing
eTrust-Vet   12.4.2161/20060412   found nothing
Ewido   3.5/20060412   found nothing
Fortinet   2.71.0.0/20060412   found nothing
F-Prot   3.16c/20060412   found nothing
Ikarus   0.2.59.0/20060412   found nothing
Kaspersky   4.0.2.24/20060412   found nothing
McAfee   4739/20060412   found nothing
NOD32v2   1.1485/20060412   found nothing
Norman   5.90.15/20060412   found nothing
Panda   9.0.0.4/20060412   found nothing
Sophos   4.04.0/20060412   found nothing
Symantec   8.0/20060412   found nothing
TheHacker   5.9.7.128/20060411   found nothing
UNA   1.83/20060412   found nothing
VBA32   3.10.5/20060412   found nothing

Thanks

Safe1______________________________________________

[DavidR]

Signatures can at times match code that isn't malicious, especially if it is trying to detect variants of a virus type, like SQL Slammer.

You should now take the actions I mentioned on reporting a false positive, this will help others as the signature will be modified to cater for this FP and add the file to the exclusions list.

[safe1]

David:

I did send a sample via email today; directly from my virus chest. Just out of curiosity I went into my McAfee firewall log folder and right-clicked and scanned with Avast and sure enough the alarm went off saying it detected a virus. I moved it into my virus chest and emailed it, as I've done several others. I have never gotten a response of any kind with any of the previous emails I have sent. I always include in the email, "could this be a false positive?"

Thanks for all your help!

safe1

[igor]

I didn't see the file so I'm judging just by the description, but I actually don't think it's a false alarm.
The firewall is probably logging some attack information/packets into a file - and if somebody attacked you with an "SQL Slammer" attack (which is quite likely, there are still lots of these stuff out there), it saved the infection code to the log file. Sure, it is not dangerous and cannot infect you, but it's still there - and I think it's correct from an antivirus to report that.

[DavidR]

That may well be the case but how does that account or the non-detection by all the scanners including avast ?

Considering the VirusTotal site uses the windows version of avast, the same as safe1. I can only conclude that they haven't/didn't have the latest avast VPS, they are also using an older version of avast (4.6.695.0/20060403   found nothing), that date doesn't correspond to that version number, version 4.6.763 is 20060128.

I hope it isn't an indication of the VPS date which is very old, 20060403 equates to VPS 0614-0 well out of date.

If that date relates to the VPS then the virustotal site is well out of date to be a waste of time and could well be very misleading and possibly harmful if took the results as gospel. Not only that possibly damaging to avast's reputation.

[safe1]

Now what?

Well, yesterday thought I'd be safe and I right-clicked my firewall log file and sure enough the warning came up. I didn't do anything with the file so that I could send it to the Virus on line center. Well, here's the latest results:

Virus Total
_______________________________________________

Scan results
 File: 04132006.log
 Date: 04/13/2006 22:25:43 (CET)
----
AntiVir   6.34.0.24/20060413   found [Worm/SQL.Slammer.dmp]
Avast   4.6.695.0/20060403   found [Win32:SQLSlammer]
AVG   386/20060413   found nothing
Avira   6.34.0.56/20060413   found [Worm/SQL.Slammer.dmp]
BitDefender   7.2/20060413   found nothing
CAT-QuickHeal   8.00/20060413   found nothing
ClamAV   devel-20060202/20060413   found nothing
DrWeb    4.33/20060413   found nothing
eTrust-InoculateIT   23.71.128/20060412   found nothing
eTrust-Vet   12.4.2162/20060413   found [Win32/SQLSlammer]
Ewido   3.5/20060413   found nothing
Fortinet   2.71.0.0/20060412   found nothing
F-Prot   3.16c/20060413   found nothing
Ikarus   0.2.59.0/20060413   found nothing
Kaspersky   4.0.2.24/20060413   found nothing
McAfee   4740/20060413   found nothing
NOD32v2   1.1488/20060413   found nothing
Norman   5.90.15/20060413   found nothing
Panda   9.0.0.4/20060413   found nothing
Sophos   4.04.0/20060413   found nothing
Symantec   8.0/20060413   found nothing
TheHacker   5.9.7.129/20060413   found nothing
UNA   1.83/20060413   found nothing
VBA32   3.10.5/20060413   found nothing

_______________________________________________
VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Do not reply to this message. It has been generated by an automatic address that will not handle any reply. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

_______________________________________________
Servidor Antivirus HispaSec Sistemas
(c) Hispasec Sistemas, 1998-2005
http://www.hispasec.com



---
avast! Antivirus: Inbound message clean.
Virus Database (VPS): 0615-3, 04/14/2006
Tested on: 4/14/06 10:58:53 AM
avast! - copyright (c) 1988-2005 ALWIL Software.
http://www.avast.com


So now what do I do? How can I tell if I have SQL program installed on my computer? It's not in the add/remove programs what-so-ever. I've never received any update notices from microsoft about the patches either. So I'm sorta confused, to say the least.
Anyway, I'm very thankful you are all willing to help me with this problem! Any and all suggestions are welcome!!

safe1

[Vlk]

SQLSlammer is a network-only worm. It doesn't live in files, it lives in memory only.

Unless you're running Microsoft SQL server (process name: sqlservr.exe), you CANNOT be infected by this worm.


It's almost sure that it's exactly like Igor described: the firewall included the packet to its log, and now, it's getting detected.


In other words, relax, you're safe.

[safe1]

Hello VLK,

Thank you for putting me at ease!! I have searched for that sqlservr.exe and nothing came up so I know I'm not running it!
Should I just put the firewall log on the list of exemptions when I scan from now on?

Thanks for your help!!

Safe1

[DavidR]

As Vlk said you should be OK but future access to the log will likely have the same result, you could clear the log contents.

I don't know if your firewall has the ability to clear or delete the contents of the log, example of mine in Outpost pro. You could also add your firewall .log file to the standard shield and program settings, exclusions. I'm not sure if this may or may not have a security implication but probably low since this is a text file.