Net-Worm.Win32.Witty, Worm.Win32.Witty, W32/Witty.worm.a, W32.Witty.Worm
Worm/Witty, Win32:Witty, Win32.Worm.Witty.A, W32/Witty.worm, WORM_WITTY.A
Category: Computer Worm
Active & Spreading
Asia, North and South America, and some parts of Europe and Australia
20 Mar 2004
The W32.Witty.Worm program is a memory resident automated worm tat copies itself via networks and attacks only devices running vulnerable versions of the Black Ice firewall software. This worm has attacked campus devices running Black Ice and since W32.Witty.Worm is memory resident and does not make any files on the hard disk of the system, virus definitions will not detect it.
W32.Witty.Worm Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Witty.Worm from your computer.
More details about W32.Witty.Worm
This file-less worm, aka Blackworm and BlackIce infects systems that use the vulnerable ISS products. It sends itself from PC to PC and initiates the code by means of exploiting a flaw in the ISS products programming. W32.Witty.Worm is extremely small and differs from 768 bytes-1148 bytes in size. The size of this worm can be smaller compared to the values given. The Witty.Worm exists only in memory and doesn’t copy its code to the disk. It tries to overwrite some sections of the vulnerable library iss-pam1.dll with its own data. Once activated on the computer, the worm will now then generate a random Internet Protocol address, and copies its own code by sending it including the exploit for the vulnerability stated above. It utilizes UPD 4000 as its source port. When getting such data packets, any remote computer that with vulnerable ISS products installed on it will treat it as an ICQ packet and would try to process it accordingly. Because of this processes the executable code of the worm penetrates the memory of the victim PC and begins to send copies of itself. When data packets are sent from the chosen IP address, the worm performs the same process again and sends the data for over 20,000 times. It then tries to write files with 65KB from the iss-pam1.dll to a chosen disk location of the infected PC. Finally, when the above process has been completed, the entire cycle is again repeated.
The W32.Witty.Worm application can execute commands in the system without the user’s consent. The data files may be stolen, deleted, or moved to a different location. The user’s keystrokes may be recorded to steal important information. This can include personal data, social security numbers, credit card numbers and log-in information. The information is typically sent to a remote server. They may be used for identity theft or credit card fraud. Installed programs may be launched or close suddenly. Unwanted applications may also be added without the user’s consent.