w32.witty.worm

Discussion in 'malware problems & news' started by gerardwil, Mar 21, 2004.

Thread Status:
Not open for further replies.
  1. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    W32.Witty.Worm
    Discovered on: March 20, 2004
    Last Updated on: March 21, 2004 09:55:11 AM

    W32.Witty.Worm utilizes a Vulnerability in ICQ Parsing by ISS Products. The worm sends itself out to multiple IP addresses on source port 4000/UDP and a random destination port. The worm is a memory-only based threat and does not create files on the system.

    The worm has a payload of overwriting random sectors of a random hard disk.

    NOTE: If your system is not running a vulnerable version of one of the products affected, then you will not be infected. Products affected by this vulnerability are listed below:

    BlackICE™ Agent for Server 3.6 ebz, ecd, ece, ecf
    BlackICE PC Protection 3.6 cbz, ccd, ccf
    BlackICE Server Protection 3.6 cbz, ccd, ccf
    RealSecure® Network 7.0, XPU 22.4 and 22.10
    RealSecure Server Sensor 7.0 XPU 22.4 and 22.10
    RealSecure Desktop 7.0 ebf, ebj, ebk, ebl
    RealSecure Desktop 3.6 ebz, ecd, ece, ecf
    RealSecure Guard 3.6 ebz, ecd, ece, ecf
    RealSecure Sentry 3.6 ebz, ecd, ece, ecf

    If you are running a product that has the vulnerability used by the worm, we recommend that you apply the relevant patch as soon as possible. Patches for this vulnerability are available at http://blackice.iss.net/update_center/index.php.

    Symantec Security Response recommends that administrators block inbound and outbound traffic to their networks on source port 4000/UDP. Please note that the destination port for traffic generated by the worm is selected randomly.
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Since there is already reference to this here,

    http://www.wilderssecurity.com/showthread.php?t=25182

    this thread is closed.




    snowbound
     
Thread Status:
Not open for further replies.