Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

"Witty" worm

1092 Views 5 Replies 3 Participants Last post by  Nok1
What's up with this? Seeing stories about this on Slashdot. Washington Post, ISS etc. Anybody hear more about this?
I'm kinda concerned, I noticed this morning there were over 100 port scans attempted on my box last night, strangly they were all from SBC servers (as best I could tell), ran some security checks, don't see anything...
Not open for further replies.
1 - 2 of 6 Posts
Here is what SANS reported this morning:

Note: we will not start new diaries this weekend. Instead, we will keep amending this diary)

"Witty" worm attacks BlackICE firewall


At around 12:00 AM EST (05:00 UTC) on Saturday, we detected an upsurge in UDP traffic from source port 4000. This traffic is caused by a new worm ("Witty") which exploits a vulnerability in BlackIce's ICQ parser.

Given that this worm generates large amounts of traffic, and the wide spread use of BlackIce, we will keep the InfoCon level at 'YELLOW', likely until Monday morning.

While "witty" packets with other source ports are seen, they will not trigger the vulnerability. Likely, these packets are due to infected hosts behind NAT devices.


Infected hosts will send large amounts of UDP traffic, typically saturating a local network connection. The BlackIce task bar icon will no longer allow the user to shut down BlackIce. It will display a message reading "Operation could not be completed. Access is denied".
Eventually, the system will crash. Infected systems are reported to show corrupted hard disks.
The worm will not write itself to disk. As a result, Virus scanners may not detect it.
Snort rule:

alert udp any 4000:5000 -> any any (msg:"Witty Initial Traffic";

(note: you may want to remove the source port restriction)


A reboot will remove the worm from the system. However, the worm causes random hard disk corruption and the system may no longer function.


Disconnect systems running BlackIce as soon as possible!

Block all UDP packets with a source port of 4000

Blocking UDP packets with a source port of 4000 may disrupt some network services. We do no know of any major services (other then old versions of ICQ) that require UDP 4000)
This worm will corrupt hard disks and leave systems unusable.
These versions of BlackIce and RealSecure have been identified as vulnerable:

BlackICE™ Agent for Server 3.6 ebz, ecd, ece, ecf
BlackICE PC Protection 3.6 cbz, ccd, ccf
BlackICE Server Protection 3.6 cbz, ccd, ccf
RealSecure® Network 7.0, XPU 22.4 and 22.10
RealSecure Server Sensor 7.0 XPU 22.4 and 22.10
RealSecure Desktop 7.0 ebf, ebj, ebk, ebl
RealSecure Desktop 3.6 ebz, ecd, ece, ecf
RealSecure Guard 3.6 ebz, ecd, ece, ecf
RealSecure Sentry 3.6 ebz, ecd, ece, ecf
See less See more
1 - 2 of 6 Posts
Not open for further replies.