Threat Description

Witty

Details

Category: Malware
Type: Worm
Platform: W32
Aliases: Witty, Blackworm, Black Ice

Summary


Witty is a network worm that spreads through direct network connections, targeting machines that are running BlackIce security software.

If you're not running BlackIce software, this worm won't infect your system.

F-Secure's firewall applications block this worm with default settings.

More information at Incidents.org:

https://isc.sans.org/diary.html?date=2004-03-20

Witty is a pure network worm, it does not spread through email.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


Witty uses a vulnerability in ICQ instant messaging protocol parsing routines of the ISS Protocol Analysis Module (PAM). More information on the vulnerability and the affected products is available from

https://xforce.iss.net/xforce/alerts/id/166

The size of the worm suggests that it has been hand-written in assembly programming language. Witty is highly dependent on the version of the vulnerable DLL. It uses direct offsets to the DLL which change between versions.

The center of the code is a tight loop that generates UDP packets with the worm as payload. Characteristics of the packets:

Source port: 4000

Destination port: random

Size: random, between 768 and 1280 Bytes

Witty sends the UDP packets to 20000 random IP addresses. After completing the loop it opens one of the eight first physical drives and writes 64KiB of the vulnerable DLL to the disk. The intention of the author seems to be to write the data to a random place on the disk. Due to the DLL version dependency in some cases one of the API calls goes to an incorrect address and the worm overwrites the first 64KiB instead.

When the write operation is completed the worm restarts the UDP packet sending loop and iterates indefinitely. It will stop when the computer is restarted or the worm crashes.

The worm contains the following text:

 (^.^)      insert witty message here      (^.^)     


Detection


F-Secure's firewall applications are able to block this worm and all the UDP traffic it generates. We recommend system administators to block UDP 4000 traffic both ways at gateway level.



Description Details: Mikko Hypponen, March 20th, 2004
Technical Details:Gergely Erdelyi, March 20th, 2004


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More