Innocents with the temerity to run the
Wm-Gibson-monickered "Black Ice" firewall
are catching it big-time today.
Some wicked person handcoded an amazingly
teensy 900-byte Black Ice specific worm
that burrows through a flaw in Black Ice
and whacks PCs hard enough to
ruin them and despoil their contents.
Virus guys used to just write viruses.
Now they 're bold enough to try
to wreck corporations. Life gets
a little more Gibsonian ever day.
F-Secure Virus Descriptions : Witty
[Summary] | [Detailed Description] | [Detection]
THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 2
NAME:
Witty
ALIAS:
Blackworm, Black Ice
SIZE:
909
Summary
Witty is a network worm that spreads through direct network connections, targeting machines that are running BlackIce security software.
If you're not running BlackIce software, this worm won't infect your system.
F-Secure's firewall applications block this worm with default settings.
More information at Incidents.org:
http://isc.sans.org/diary.html?date=2004-03-20
Witty is a pure network worm, it does not spread through email.
Detailed Description
Witty uses a vulnerability in ICQ instant messaging protocol parsing routines of the ISS Protocol Analysis Module (PAM). More information on the vulnerability and the affected products is available from
http://xforce.iss.net/xforce/alerts/id/166
The size of the worm suggests that it has been hand-written in assembly programming language. The center of the code is a tight loop that generates UDP packets with source port 4000 and random destination port numbers (which might be constant for one recipient, but vary from target to target). The worm sends itself in UDP packets to 20000 random IP addresses.
After sending 20000 packets Witty opens a random physical drive and performs certain operations. The details of that are however yet unclear and are being investigated. After this the worm restarts spreading and keeps repeating this until the machine crashes or is rebooted.
The worm contains the following text:
(.) insert witty message here (.)
