[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


   UNIRAS (UK Govt CERT) ALERT - 13/04 dated 21.03.04  Time: 18:20
 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination
  UNIRAS material is also available from its website at www.uniras.gov.uk
         Information about NISCC is available from www.niscc.gov.uk

Malicious software report - witty worm


Departmental and company security officers should be aware of the
existence of a new Internet worm called Witty that takes advantage of a
buffer overflow the ICQ instant messaging protocol parsing routines of the
ISS Protocol Analysis Module (PAM) componentof ISS intrusion detection
products (BlackICE, RealSecure and Proventia).

See http://xforce.iss.net/xforce/alerts/id/166 (reissued as UNIRAS
Briefing 129/04) and
http://www.eeye.com/html/Research/Advisories/AD20040318.html for a
description of the vulnerability and for update availability.

 Although UNIRAS has no direct reports from its constituency, the worm has
caused a large increase in network traffic with UDP source port 4000 (the
signature of a IRQ server response) across the Internet.
The worm only affects networks that have vulnerable ISS products, but
compromised hosts will scan 20000 IP hosts at random with a randomly
chosen destination UDP port and a source UDP port of 4000. The worm has a
payload that it will overwrite 128 disk sectors of one of the first eight
physical drives with data from the PAM Dynamic Link Library. This could
result in operating system, file system, application and data corruption
and possibly lack of availability. There is a further impact on Internet
routers due to the aggressive scanning of this worm. Organisations are
recommended to block traffic with UDP source port 4000 inbound and
outbound unless ICQ is required by the business.
Further details are available at:

Note that the above LURHQ link provides a Snort signature.


For additional information or assistance, please contact the HELP Desk by
telephone or Not Protectively Marked information may be sent via EMail to:

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

This Briefing contains the information released by the original author. Some

of the information may have changed since it was released. If the
affects you, it may be prudent to retrieve the advisory from the canonical
to ensure that you receive the most current information concerning that

Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The

and opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors or
omissions contained within this briefing notice. In particular, they shall
not be liable for any loss or damage whatsoever, arising from or in
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams
and has contacts with other international Incident Response Teams (IRTs)
in order to foster cooperation and coordination in incident prevention, to
rapid reaction to incidents, and to promote information sharing amongst
its members and the community at large.
<End of UNIRAS Briefing>