Witty uses a vulnerability in ICQ instant messaging protocol
parsing routines of the ISS Protocol Analysis Module (PAM).
More information on the vulnerability and the affected products
is available from
The size of the worm suggests that it has been hand-written in
assembly programming language. Witty is highly dependent on the
version of the vulnerable DLL. It uses direct offsets to the DLL
which change between versions.
The center of the code is a tight loop that generates UDP packets
with the worm as payload. Characteristics of the packets:
random, between 768 and 1280 Bytes
Witty sends the UDP packets to 20000 random IP addresses. After
completing the loop it opens one of the eight first physical drives
and writes 64KiB of the vulnerable DLL to the disk. The intention
of the author seems to be to write the data to a random place on
the disk. Due to the DLL version dependency in some cases one of
the API calls goes to an incorrect address and the worm overwrites
the first 64KiB instead.
When the write operation is completed the worm restarts the UDP
packet sending loop and iterates indefinitely. It will stop when
the computer is restarted or the worm crashes.
The worm contains the following text:
(^.^) insert witty message here (^.^)
F-Secure's firewall applications are able to block this worm and all
the UDP traffic it generates.
We recommend system administators to block UDP 4000 traffic both ways
at gateway level.
Mikko Hypponen, March 20th, 2004;
Gergely Erdelyi, March 20th, 2004;