As cleanup of the MS-SQL Slammer worm continued last week, talk among security experts centered on two facets of the attack that might portend greater trouble: the remarkable speed with which Slammer spread, and the idea that future versions might carry a nefarious payload.

Experts fear future variations could wipe out files or worse.

"It could delete [a] whole database," says Ed Skoudis, vice president of security strategy at consultancy Predictive Systems. Extending Slammer's destructiveness would require skill, but chances of that happening are growing since hacker groups and legitimate security firms have posted an analysis of the machine code after reverse-engineering it.

While many are blaming network administrators for failing to take proper precautions, complaints are mounting about how difficult it is to apply patches that Microsoft supplied six months ago to prevent the kind of buffer-overflow attack this worm uses.

Moving in a flash across the Internet, Slammer blasted through an estimated half-million vulnerable servers by week's end, wreaking havoc inside corporate intranets, disrupting e-commerce, and even causing a global 'Net slowdown. Within minutes, it had slipped into corporations through firewalls left open at Port 1433 and 1434, or spread through infection by e-commerce partners. Some ISPs, including AT&T, now are filtering out the worm.

A number of corporations hit by Slammer had to shut down internal operations for a day to get rid of the worm, which was flooding their intranets with a denial-of-service (DoS) attack.

"We experienced a systems slowdown due to the worm," says JP Morgan Chase spokesman Tom Johnson. "And we shut down our online banking as well."

Randomly scanning at high speed in search of unpatched SQL Servers or any unpatched applications using the licensed Microsoft Data Engine (MSDE) code, Slammer generated huge amounts of UDP packet traffic, causing a 50% degradation of Web site availability around the world as it gained steam early Jan. 25. Internet traffic returned to normal around noon that day, according to monitoring firm Keynote Systems.

Slammer's DoS attack was so intense in its first hours that latency-sensitive applications such as voice over IP, among other applications, would have been severely affected, says Hossein Eslambolchi. AT&T's CTO and president of AT&T Labs.