Aliases: Net-Worm.Win32.Witty, Worm.Win32.Witty, W32/Witty.worm.a, W32.Witty.Worm
Variants: Worm/Witty, Win32:Witty, Win32.Worm.Witty.A, W32/Witty.worm, WORM_WITTY.A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 20 Mar 2004
Damage: High

Characteristics: The W32.Witty.Worm program is a memory resident automated worm tat copies itself via networks and attacks only devices running vulnerable versions of the Black Ice firewall software. This worm has attacked campus devices running Black Ice and since W32.Witty.Worm is memory resident and does not make any files on the hard disk of the system, virus definitions will not detect it.

More details about W32.Witty.Worm

This file-less worm, aka Blackworm and BlackIce infects systems that use the vulnerable ISS products. It sends itself from PC to PC and initiates the code by means of exploiting a flaw in the ISS products programming. W32.Witty.Worm is extremely small and differs from 768 bytes-1148 bytes in size. The size of this worm can be smaller compared to the values given. The Witty.Worm exists only in memory and doesn’t copy its code to the disk. It tries to overwrite some sections of the vulnerable library iss-pam1.dll with its own data. Once activated on the computer, the worm will now then generate a random Internet Protocol address, and copies its own code by sending it including the exploit for the vulnerability stated above. It utilizes UPD 4000 as its source port. When getting such data packets, any remote computer that with vulnerable ISS products installed on it will treat it as an ICQ packet and would try to process it accordingly. Because of this processes the executable code of the worm penetrates the memory of the victim PC and begins to send copies of itself. When data packets are sent from the chosen IP address, the worm performs the same process again and sends the data for over 20,000 times. It then tries to write files with 65KB from the iss-pam1.dll to a chosen disk location of the infected PC. Finally, when the above process has been completed, the entire cycle is again repeated.

The W32.Witty.Worm application can execute commands in the system without the user’s consent. The data files may be stolen, deleted, or moved to a different location. The user’s keystrokes may be recorded to steal important information. This can include personal data, social security numbers, credit card numbers and log-in information. The information is typically sent to a remote server. They may be used for identity theft or credit card fraud. Installed programs may be launched or close suddenly. Unwanted applications may also be added without the user’s consent.