posted on Mar, 21 2004 @ 05:26 PM
A new internet worm dubbed "W32.Witty" attacks and infects computers running Microsoft Windows and firewall/intrusion detection software produced
by Internet Security Systems (ISS)
The U.S. Department of Homeland Security saw fit to release a �cyber alert� about a piece of malicious software that exploits a nine month old Windows
vulnerability (Phatbot), but has not yet issued a statement about a new worm that attacks two widely used programs used to safeguard home and business
computers and is not caught by antivirus software. I found out about the problem when it began to appear in various online articles. It is unlikely
that it would have been immediately obvious to our intrusion detection mechanisms because the worm spreads using a port commonly used by the Internet
messaging service �ICQ.�
The Register � �Witty�
The 'Witty' worm's name comes from a message buried within its code that says: "insert witty message here."
Using flaws in the code of BlackIce and RealSecure programs the worm loads into memory of the target machine and begin to propagate to other
computers. Unlike many other self-replicating worms this one has a destructive payload and can overwrite computer data and even render a hard drive
un-bootable.
A new worm that, ironically, makes sport of Win-32 systems defended by BlackIce and RealSecure firewall products from Internet Security Systems
(ISS) began circulating Saturday.
The worm, dubbed 'witty,' is memory-resident only and propagates via UDP port 4000, and possibly others. While occupied with reproducing itself,
it overwrites data on the local hard disk(s), and can render a machine un-bootable if it corrupts the master boot record or partition table, or file
allocation tables.
The worm is exceptionally vicious by current standards and implies the presence of a highly motivated spoil-sport, such as a disgruntled former
employee, an envious competitor, or a monumentally dissatisfied customer. Or it could just be a cool bit of retro coding.
ISS has released updates for the affected software packages on Mar 19th, 2004 to address the ICQ parsing flaw. If you have either BlackIce or
RealSecure it is very important to apply the updates immediately. Blocking UDP port 4000 at the network perimeter would also be prudent.
Removal of the worm is simple. Since it is never written to the hard disk a re-boot will unload it, but unless the vulnerable software is patched or
the worm traffic is blocked, there is every chance that the computer will be re-infected. Recovering data from a damaged hard disk is much more
problematic.
Since implementing a rule to block UDP port 4000 at 16:00 hours (GMT -5) there have been 286 scans for that port and there are no users running ICQ on
the network.
NOTE: As an experiment, I set up a Windows XP machine with an old version of the BlackIce PC software and exposed its IP address to the Internet.
Within 3 hours the computer had locked up and when re-booted the hard disk was corrupted and the OS would not load.
More Information:
Symantec
ISS Download Center
SecurityFocus
[Edited on 21-3-2004 by Banshee]