Type Internet worm
Date Discovered 2003.01.25
Place of Origin
Source Language
Platform SQL Server
File Type(s) UDP Packet*
Infection Length 404 bytes
Reported Costs $1.2 billion

Slammer (also known as Sapphire, Helkern or SQLExp) was a worm that appeared in 2003 January and was the fastest-spreading worm of its time. The worm was an extremely simple piece of code and its payload was an unintended byproduct of its spreading ability. It was considered the first "Warhol worm", an idea first predicted in a paper in the previous year.


Slammer on the infecting computer sends a UDP datagram to port 1434 on the target. The datagram exploits a buffer overflow vulnerability in the SQL Server Monitor that overwrites the stack and executes the rest of the exploit. When it is in the target's memory it begins sending datagrams of its exploit and worm code to random IP addresses to infect new targets.

Slammer exists entirely in the computer's memory. At no point does it save itself to any disk. It makes no changes to the system at all. These facts make removal of the worm as easy as shutting the system down.


Taking 15 minutes to spread worldwide, the SQL Slammer worm was one of the largest and fastest spreading worms ever. For this reason, some have described Slammer as the first "Warhol worm" (had its 15 minutes of fame), a fast-propagating Internet worm hypothesized in 2002 in a paper by Nicholas Weaver.

Slammer spread to over 90 percent of all vulnerable hosts in 10 minutes and infected around 359,000 computers total. Its population doubling time was about 37 minutes. 5 of the Internet's 13 root DNS servers went down and about 10 of them experienced massive packet loss due to the amount of bandwidth the worm consumed. London-based market intelligence firm Mi2g said that the worm caused between $950 million and $1.2 billion in lost productivity in its first five days worldwide.

North America

In the United States, Windows XP activation servers in Redmond, Washington were taken offline. Continental Airlines resorted to pens and paper to record reservations and tickets. The airline had to delay and cancel some flights, though no delays lasted more than 30 minutes.

Banks in the US and Canada were hard hit. A majority of Bank of America's ATMs were rendered usless and while most were running by the evening, some customers reported being unable to use them well into the next day. Washington Mutual's ATMs and other bank services were unavailable for most of the day. Customers of the Canadian Imperial Bank of Commerce in Toronto were unable to withdraw money using ATMs.

The U.S. departments of State, Agriculture, Commerce and Defense were infected with the worm. The Emergency 911 network was down for some time. More disturbingly, the David-Besse nuclear plant in Ohio after getting into an employee's unsecured network. The plant was already offline from the power grid since the previous year because of a hole in the reactor.

Some Associated Press news services were interrupted. The Atlanta Journal-Constitution computer network was infected, forcing the paper to delay the publication of the Sunday first edition and delaying updates of the paper's Web site. The Philadelphia Inquirer had already printed its early Sunday edition before the worm hit, that paper was also hit by the worm.

Asia and Europe

South Korea was particularly hard hit by the worm. The some of the Korean media claimed that the entire Internet infrastructure was knocked out and that billions of Won were lost. Customers of the ISP KT Freetel Corp and SK Telecom lost their internet connections.

In Portugal, more than 300,000 customers of Cable ISP Netcabo lost internet access.

Late 2016 Comeback

Between 28 November and 4 December in 2016, the Slammer worm made a few brief appearences. It came from IP addresses in China, Mexico, Ukraine, and Vietnam with some small amount coming from Russia, Venezuela, Argentina, Thailand and the US. It made the list of top 10 spot for December for most common threats, peaking at number 3. The US was the primary target with 26% of attacks hitting that country, but the UK and Israel with roughly 7% each were also significant targets. The reason for its reappearance is every bit as much of a mystery as its origin.


Czech police believed that Benny of the virus magazine 29A was responsible for the worm. This is unlikely, as most 29A members do not release their viruses into the wild and only write viruses to explore new concepts and test coding abilities. It is possible though, that the worm may come from Benny's code, but was compiled by another person who released it, since 29A members regularly post their source code on sites for anyone to read. However, he has not released source code for anything like this. The true creator remains unknown.


Jensenne Roculan, Sean Hittel, Daniel Hanson, Jason V. Miller, Bartek Kostanecki, Jesse Gough, Mario van Velzen, Oliver Friedrichs. DeepSight(tm) Threat Management System Threat Analysis, SQLExp SQL Server Worm Analysis. 2003.01.28

David Moore, Vern Paxson, Colleen Shannon, Stuart Staniford, Nicholas Weaver
Inside the Slammer Worm. 2003

John Leyden. The Register, ATMs, ISPs hit by Slammer worm spread 2003.01.27

-. -, SQL worm slams the Net. 2003.01.27

Daniel Sieberg, Dana Bash. CNN Technology, Computer worm grounds flights, blocks ATMs. 2003.01.26

Arirang TV, Chosun Ilbo, No Major Incidents After Internet Disruptions. 2003.01.27

Robert Lemos. CNet News, "Counting the cost of Slammer" 2003.01.31

-. -, "'Slammer' attacks may become way of life for Net" 2003.02.06

Dan Ilett., "Police quiz ex-virus writer in Slammer investigation" 2004.11.29

Danny Palmer. ZDNet, After a decade of silence, this computer worm is back and researchers don't know why. 2017.02.03

-. -, Did this ransomware threat drop away because cybercrooks went on holiday? 2017.01.17

Kevin Poulson. Security Focus, Slammer worm crashed Ohio nuke plant network. 2003.08.19

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License