CERT-In:Indian Computer Emergency Response Team

HOME > INCIDENT NOTES

INCIDENT NOTES

CERT-In Incident Note CIIN-2004-05

BlackICE Witty Worm

Original Issue Date: March 22, 2004

Type : Worm

Aliases: W32/Witty.worm , WORM_WITTY.A

Severity: High

Systems Affected:

BlackICET Agent for Server 3.6 ebz, ecd, ece, ecf
BlackICE PC Protection 3.6 cbz, ccd, ccf
BlackICE Server Protection 3.6 cbz, ccd, ccf
RealSecure® Network 7.0, XPU 22.4 and 22.10
RealSecure Server Sensor 7.0 XPU 22.4 and 22.10
RealSecure Desktop 7.0 ebf, ebj, ebk, ebl
RealSecure Desktop 3.6 ebz, ecd, ece, ecf
RealSecure Guard 3.6 ebz, ecd, ece, ecf
RealSecure Sentry 3.6 ebz, ecd, ece, ecf

** The Witty worm can only infect Win32 systems.

Overview

A worm called Witty is said to be spreading via the ICQ instant messaging protocol parsing vulnerability in ISS products. The worm targets unpatched versions of the BlackICE PC Protection product. The Witty worm on infecting a vulnerable system attempts to propagate by scanning random IP addresses.

Impact

The worm is destructive to the target system, and overwrites key hard disk sectors after sending out its payload. The junk data written to disk may make the system unstable and cause the "blue screen" to occur upon reboot.

Description

The Witty worm targets unpatched versions of the BlackICE PC Protection product. It is a memory-resident worm only, and contains no file payload. The Witty worm propagates via UDP, sending UDP packets with a random destination and destination port and a source port of 4000. The source address is not spoofed. It is destructive to the target system, and overwrites key hard disk sectors after sending out its payload which may cause the "blue screen" to occur upon reboot.

The malware code which executes the attack resides only in the memory of affected systems, and there are no file counterparts. Because of this, antivirus file scanners maybe unable to detect the code and there is no applicable pattern file.

Symptoms

The worm sends itself out to multiple IP addresses on source port 4000/UDP and a random destination port. The worm is a memory-only based threat and does not create files on the system.

Workarounds

Blocking packets with a source port of 4000/UDP at the firewall may mitigate this vulnerability from attacks originating outside of the network.

Solution

Apply the patch for the vulnerability, available from http://www.iss.net/download/ and reboot the system after applying the patch.

Vendor Information

ISS
http://xforce.iss.net/xforce/alerts/id/167

References

eEye Digital Security
http://www.eeye.com/html/Research/Upcoming/20040308.html
http://www.eeye.com/html/Research/Advisories/AD20040318.html

US-CERT Vulnerability Note VU#947254
http://www.kb.cert.org/vuls/id/947254

CIVN-2004-04
http://cert-in.org.in/vulnerability/CIVN-2004-04.htm

Symantec
http://securityresponse.symantec.com/avcenter/venc/data/
w32.witty.worm.html

Trendmicro
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp
?VName=WORM_WITTY.A

Disclaimer
The information provided here-in is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003

Home || Feedback || FAQ || Disclaimer