Note: This is an archival copy of Security Sun Alert 201492 as previously published on
Latest version of this security advisory is available from as Sun Alert 1001115.1.
Article ID : 1001115.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-01-19
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Recent Mass Mailing of "Worms" or Mail Viruses May Cause Network and Application Performance Degradation


Release Phase

Bug Id

Date of Resolved Release


Although Solaris is not directly affected by recent email virus and network "worm" attacks and/or vulnerabilities, the effects of these attacks can degrade network performance and networked applications on all UNIX operating environments including Solaris.

1. This issue is described in:

W32/Sobig.F Worm IN-2003-03 at:

Microsoft Security Bulletin MS03-026 at:

2. Worms that exploit this issue are described in:

W32/Blaster Worm CA-2003-20 at:

W32/Welchia or W32/Nachi at:

Contributing Factors

This issue can affect the following releases:

SPARC Platform

  • All Solaris releases

x86 Platform

  • All Solaris releases

Sun Linux

  • Sun Linux 5.0 (LX50)

Sun Cobalt

  • All releases


1. Due do excessive load on networks caused by the email virus or network "worm", a general degradation of network performance (including longer than expected answering times for various network services like NFS or Email) may occur. Symptoms observed on infected networks include a noticable increase of packets on netbios ports 135, 137, 138, 139 (more common on Solaris with Samba or PCNetlink). Use the "snoop" command or any other tool capable of capturing network traffic to display this symptom.

2. Abnormal amount of UDP(7P) broadcast packets on a subnet (udpNoPorts) which may indicate a worm looking for open ports. This value can be checked by running:

    % netstat -s | grep udpNoPorts
tcpInErrs           =     0     udpNoPorts          =164903

3. High levels of ICMP(7P) and ARP(7P) traffic (generated by worms to discover systems on a network). This can be checked by running the following command:

    % netstat -s | grep icmpInMsgs
ICMPv4  icmpInMsgs          = 12074     icmpInErrors        =     0

4. Unexpected connections to TCP(7P) ports used by "worms". TCP resets will be generated by Solaris (tcpOutRsts) as "worms" attempt to contact ports not in use by Solaris. Check this by running the following command:

    % netstat -s | grep tcpOutRsts
tcpOutRsts          =  4054     tcpOutFastRetrans   =    24

Note: Acceptable numbers for all of the above values depend on the size of normal traffic load for a particular network.


The above advisories (see "Impact") encourage disabling access to certain network ports before applying patches to Microsoft systems. The reports do not clearly communicate the need to re-enable the ports on the Solaris systems after the patches have been installed. Customers who do not re-enable the ports may suffer negative effects on the following Solaris network services:

  • UDP port 69 - Trivial File Transfer Protocol (TFTP) - SunRay appliances use this service upon bootup, for example.
  • UDP/TCP ports 123 - Network Time Protocol (NTP)
  • UDP/TCP ports 512-1023 - many Remote Procedure Call (RPC) based services such as NIS+ and NFS, as well utilities such as rsh(1) and rlogin(1) utilize ports in this "priviledged" range.

Note: Ports 593 and 707 are also noted in the above advisories.

Addtional information for tuning Solaris for security concerns may be found in the Sun Blueprint article on security at: and at:


Please see the "Relief/Workaround" section above for the resolution to this issue.

Modification History

Sun Linux 5.0

This solution has no attachment