Symantec United States
 global sites
products
purchase
service and support
security updates
downloads
about symantec
search
feedback


©1995-2008 Symantec Corporation.
All rights reserved.

Legal Notices
Privacy Policy
security updates

W32.SQLExp.Worm Removal Tool


Discovered on: January 25, 2003
Last Updated on: January 19, 2006 11:38:17 AM ZE9
  

What the tool does

Version 1.0.4.1 of the W32.SQLExp.Worm Removal Tool is now available for downloading. When the tool is run, it:

  1. Determines whether the vulnerable DLL exists on the computer, by first searching the registry, and then all the local hard disks for ssnetlib.dll,
    thus ensuring that the tool works:
    • With the affected versions of both Microsoft SQL Server 2000 and Microsoft Desktop Engine 2000.
    • On the systems that have multiple instances of the vulnerable software installed on them, with potentially different patch levels.
  2. Locates the worm thread in the sqlserver.exe process and puts it to sleep.
  3. Displays a message prompting you to make sure that the Microsoft patch is installed. The patch is available from Microsoft Security Bulletin MS02-061. (If you have no service pack installed for Microsoft SQL Server 2000 or Microsoft Desktop Engine 2000, the vulnerable version of ssnetlib.dll is 8.00.194. If you have Service Pack 1 for the affected products installed, the vulnerable version of the DLL is 8.00.382. If you have Service Pack 2 for the affected products installed, the vulnerable version of the DLL is 8.00.534. Neither version 8.00.636 nor 8.00.679 of this DLL is affected by this vulnerability.)

Command-line switches available with this tool


Switch

Description

/HELP, /H, /?
Displays the help message.

/SILENT, /S
Enables silent mode.

/LOG=[PATH NAME]
Creates a log file where [PATH NAME] is the location in which to store the output of the tool. By default, this switch creates the log file, FixSQLex.log, in the same folder from which the removal tool was executed.

Obtaining and running the tool

NOTE: You must have administrative rights to run this tool on Windows NT 4/2000/XP.
  1. Download the FixSQLex.exe file from: http://securityresponse.symantec.com/avcenter/FixSQLex.exe.
  2. Save the file to a convenient location, such as your download folder or the Windows desktop (or removable media that is known to be uninfected, if possible).
  3. To check the authenticity of the digital signature, refer to the Digital signature section.
  4. Close all the programs before running the tool.
  5. Double-click the FixSQLex.exe file to start the removal tool.
  6. Click Start to begin the process, and then allow the tool to run.
  7. Restart the computer.
  8. Run the removal tool again to ensure that the system is clean.
  9. Run LiveUpdate to make sure that you are using the most current virus definitions.
Digital signature
FixSQLex.exe is digitally signed. Symantec recommends that you use only copies of FixSQLex.exe downloaded directly from the Symantec Security Response Web site. To check the authenticity of the digital signature, follow these steps:
  1. Go to http://www.wmsoftware.com/free.htm.
  2. Download and save the Chktrust.exe file to the same folder where you saved FixSQLex.exe (for example, C:\Downloads).
  3. Depending on your operating system, do one of the following:
    • Click Start, point to Programs, and then click MS-DOS Prompt.
    • Click Start, point to Programs, click Accessories, and then click Command Prompt.
  4. Change to the folder in which FixSQLex.exe and Chktrust.exe are stored, and then type:

    chktrust -i FixSQLex.exe

    For example, if you saved the file to the C:\Downloads folder, you would enter the following commands (press Enter after you type each command):

    cd\
    cd downloads
    chktrust -i FixSQLex.exe

    If the digital signature is valid, you will see the following:

    Do you want to install and run "FixSQLex" signed on 1/29/2003 8:10 AM and distributed by Symantec Corporation?

    NOTES:
      • The date and time that appear in this dialog box will be adjusted to your time zone if your computer is not set to the Pacific time zone.
      • If you are using Daylight Saving Time, the time that appears will be exactly one hour earlier.
      • If this dialog box does not appear, there are two possible reasons:
        • The tool is not from Symantec: Unless you are sure that the tool is legitimate and that you downloaded it from the legitimate Symantec Web site, you should not run it.
        • The tool is from Symantec and is legitimate: However, your operating system was previously instructed to always trust content from Symantec. For information on this and on how to view the confirmation dialog again, read the document, "How to restore the Publisher Authenticity confirmation dialog box."
  5. Click Yes to close the dialog box.
  6. Type exit, and then press Enter. (This will close the MS-DOS session.)

Running the tool from a floppy disk
  1. Insert the floppy disk, which contains the FixSQLex.exe file, in the floppy disk drive.
  2. Click Start, and then click Run.
  3. Type the following:

    a:\FixSQLex.exe

    and then click OK.

    NOTE: There are no spaces in the command a:\FixSQLex.exe.
  4. Click Start to begin the process, and then allow the tool to run.
  5. If you are running Windows Me, re-enable System Restore.


Revision History:


1.0.1: Added support for Windows9x.
1.0.2: Now searches all local hard drives for the vulnerable ssnetlib.dll (to deal with problems misdetecting some MSDE installations using the registry keys.)
1.0.3: Changed the URL string to 02-061 and the name to SQLExp rather than SQLEXP. Fixed a bug that would cause the fixtool to report 'not vulnerable' on a system with multiple versions of ssnetlib.dll.
1.0.4: Fixed a bug that, when using the /silent switch, would cause the fixtool to report 'not vulnerable' on a system with multiple versions of ssnetlib.dll.
1.0.4.1: Slight modification to text when reporting a possible vulnerable system.