Request Services
  Data Systems Services
  About Data Systems
  News & Announcements
 
Virus Alert
Virus Hoaxes
  Quick Links
  Classroom Reservations
  Equipment Reservations
  Software Downloads
 
Data Systems Only! (Password Protected)
  Live Remote Assistance
 


W32/Witty.worm

03/22/04 - W32/Witty.worm

(Anyone running BlackIce will be disconnected from the network until the patch is fixed for this virus.)

Internet Worm Characteristics:
-- Update March 21st 2004 04:25 PST --
This threat has been deemed Low-Profiled due to media attention at the following site:
http://news.netcraft.com/archives/2004/03/20/witty_worm_targets_black_ice_disables_machines.html --
Users not running a vulnerable BlackIce product cannot be infected by this worm. W32/Witty.worm is a network worm that tries to exploit the ISS/PAM ICQ module vulnerability (see ISS advisory ) of BlackIce products.

Rebooting an infected system removes the virus from memory and the virus will not be reloaded on system startup. Note, however, that a system running a vulnerable BlackIce product may get reinfected without updating to the latest version or removing the product from the system.

This worm spreads using network traffic only. There are no emails sent or files dropped on the machine. The user does not have to run anything and can't see anything of the infection process.

Note: As no files are dropped on the machine by the worm, detection in the 4340 DATs and later will be detection for the worm running in memory when the machine is infected.

When a malicious packet hits a vulnerable machine, the worm will get executed in memory and start to spread from the new victim.

The worm first sends out 20,000 packets from UDP port 4000 to random IP addresses and random ports. Then it writes 64kb of the exploited DLL to a random position on the harddrive. After that, it starts spreading again and loops.

The payload, writing 65K byte to a random position on the disk, will result in corrupted files. The longer a machine is infected, the more parts of the harddrive will get damaged! Tests show that a machine infected for 10 minutes was not able to reboot because of damaged system files.

Damaged files need to be replaced from a backup - they can't be cleaned as they have been overwritten.

Version 'BlackIce 3.6.ccf ' is affected by this worm, the latest available version (BlackIce 3.6.ccg) as well as version 3.5 and prior are not.

A patch for BlackIce products is available at:
http://blackice.iss.net/update_center/index.php

Top of Page

Symptoms
Outgoing UDP network traffic from port 4000 to random IP addresses.
Corrupted files on disk.
System reacts very slowly.
BLACKD.EXE has about 99% CPU usage.
System may gets unstable or unable to boot.

More info on this worm:
http://vil.nai.com/vil/content/v_101118.htm

Removal Instructions

Go to the following website for removal instructions:

http://vil.nai.com/vil/content/v_101118.htm

Download Stinger to Scan for infection:
http://vil.nai.com/vil/stinger

Back to the top