April 11, 2003

After work today, I went to my parents house. The kids were on their last day of official spring break and they spent it with their grandparents.

When I arrived, I found that my Dad was having problems getting connected to the internet. I assumed that it was a simple thing. I sat down and started to poke around. The computer reacted slow and I had trouble bringing up windows. My dad pointed to the DSL modem at the flashing lights and said, "When it does that, nothing works." The flashing lights are the activity lights.

I called up the network interface and saw no packet coming down and tons going out. It looked like 2 megs a second blasting out. What the hell, I thought. I called up the task manager, and after a long wait, it opened. I looked at the processes and was suprised to see 'sqlserver.exe' running at 90+ percent CPU usage.

SQL on my fathers computer? How can this be?

I aked him why he had SQL on his computer. He told me it was for some sales software he had for his company. It couldn't be what I thought it was.

I ended the sqlserver process. The lights stopped flashing. The computer became responsive. I could connect to the net.

Could my father really have the Sapphire/Slammer worm? Looks like it.

I downloaded the Microsoft Slammer Patch Utility, and sure enough his system was wide open to the worm. I ran the utility and rebooted again. Everything seemed fixed.

One of these days, a virus or worm is going to hit the net that does some real damage and individuals will really get hurt. Consider that two and a half months after the Sapphire worm hit the net, packets are still travelling around in significant quanities that it found my father computer.

OS and software manufacturers are going to have to step up to the plate here. Windows Update didn't patch his computer. Norton anti-virus didn't protect his computer. All software is going to need updating of problems built-in.

Posted by michael at April 11, 2003 10:38 PM