1. /
  2. Security Response/
  3. W32.Witty.Worm

W32.Witty.Worm

Risk Level 2: Low

Discovered:
March 20, 2004
Updated:
February 13, 2007 12:19:50 PM
Also Known As:
W32/Witty.worm [McAfee], WORM_WITTY.A [Trend]
Type:
Worm
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


W32.Witty.Worm uses a vulnerability in ICQ parsing by ISS products. The worm sends itself to multiple IP addresses using UDP source port 4000 and a random destination port. The worm resides in memory only, and does not create files on an infected computer. The worm also has a payload that overwrites random sectors of a random hard disk.


Note: If your computer is not running a vulnerable version of one of the affected products, then you will not be infected. Products affected by this vulnerability are listed below:
  • BlackICE™ Agent for Server 3.6 ebz, ecd, ece, ecf
  • BlackICE PC Protection 3.6 cbz, ccd, ccf
  • BlackICE Server Protection 3.6 cbz, ccd, ccf
  • RealSecure® Network 7.0, XPU 22.4 and 22.10
  • RealSecure Server Sensor 7.0 XPU 22.4 and 22.10
  • RealSecure Desktop 7.0 ebf, ebj, ebk, ebl
  • RealSecure Desktop 3.6 ebz, ecd, ece, ecf
  • RealSecure Guard 3.6 ebz, ecd, ece, ecf
  • RealSecure Sentry 3.6 ebz, ecd, ece, ecf

If you are running a product that has the vulnerability, which the worm uses, we recommend that you apply the relevant patch as soon as possible. Patches for this vulnerability are available at http://www.iss.net/download/.

Symantec Security Response recommends that administrators block inbound and outbound traffic to their networks on UDP source port 4000. The destination port for traffic, which this worm generates, is randomly selected.

Antivirus Protection Dates

  • Initial Rapid Release version March 20, 2004
  • Latest Rapid Release version September 28, 2010 revision 054
  • Initial Daily Certified version October 31, 2007 revision 003
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date pending
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: 0 - 49
  • Number of Sites: 0 - 2
  • Geographical Distribution: Low
  • Threat Containment: Easy
  • Removal: Easy

Damage

  • Damage Level: High

Distribution

  • Distribution Level: High
Writeup By: Eric Chien

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver