Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

'Witty' Worm Sneaks Through ISS Firewalls

A fast-spreading worm let loose on the Internet Saturday, crawled through a vulnerability in Internet Security Systems' BlackICE firewall, has infected between 10,000 and 50,000 systems worldwide, and can trash infected hard drives.

The worm--dubbed "Witty," for a comment embedded in its code--exploits a stack overflow vulnerability within BlackICE that was disclosed just two days before the worm first appeared.

Unlike most other worms, Witty doesn't need human interaction to spread. Rather than rely on users to open a file attachment--the typical way worms propagate--Witty simply scans for vulnerable systems, then uses UDP port 4000 to infect the machine. This auto-spread strategy was last used to wreak havoc by 2003's MSBlast worm.

Witty is particularly dangerous, said experts, because after it executes, it opens a random drive on the PC and writes 65KB of data to a random location on the disk. It repeats that process until the system is rebooted or the computer crashes.

"This worm is highly malicious, slowly destroying the systems it infects," said security firm Lurhq, in an alert posted on its Web site. "Rather than simply executing a 'format C:' or similar destructive command, the worm slowly corrupts the file system while it continues to spread. Any infected machine will likely have its operating system and partition data destroyed along with most files on the physical drives, depending on how long the worm runs on the machine."

  • 1