'W32/Witty.worm Virus Alert'

Site Search:

03/22/04: W32/Witty.worm Virus Alert

This is a warning about a new virus/worm being spread that affects vulnerable BlackIce product on Windows machines. W32/Witty.worm is a network worm that tries to exploit the ISS/PAM ICQ module vulnerability of BlackIce products. Version 'BlackIce 3.6.ccf ' is affected by this worm. The latest available version (BlackIce 3.6.ccg) as well as versions prior to 3.5 and are not affected by this worm.

A patch for BlackIce products is available at:

http://blackice.iss.net/update_center/index.php

The Witty worm is spread through network traffic only and not through email. When a malicious packet hits a vulnerable machine, the worm will get executed in memory and starts to spread from the new victim. The worm first sends out 20,000 packets from UDP port 4000 to random IP addresses and random ports. Then it writes 64kb of the exploited DLL to a random position on the harddrive. After that, it starts spreading again and loops. Rebooting the machine will erase the worm from memory, but without updating the BlackIce product, the machine is vulnerable to being infected again. For this reason, UDP port 4000 will be blocked and ICQ will not work on the UCLA campus today, March 22, 2004, until 6:00 pm.

For more information about this virus, please see http://vil.nai.com/vil/content/v_101118.htm

If you have any questions, please contact us at (310)825-7452, option 1, or at consult@ucla.edu.

	09/26/2008: Bluesocket Device Maintenance on 9/29/08
	09/17/2008: Bluesocket Device Maintenance on 9/21/08
	09/09/2008: Bluesocket Device Maintenance on 9/14/08
	09/01/2008: Fake Account Verification Message from "WEBMAIL SUPPORT"
	08/28/2008: BOL Help Desk Closed for Labor Day
	News archive

BOL News

BOL Webmail

03/22/04: W32/Witty.worm Virus Alert