Witty Worm Threatens ICQ Servers

ISS is warning users to patch their systems against the Witty worm, which writes junk data onto physical hard drives.

Network security company ISS is likely to face embarrassing questions from its customers following the discovery of new worm on Saturday that was exploiting flaws in its software.

The worm, dubbed Witty.A, was designed to breach a security hole in the company's widely used firewall product line-ups such as its BlackICE and RealSecure software series.

Reports from Internet monitoring firms suggest the worm is similar to Blaster, which appeared last August and left a multi-million dollar damage trail for companies to clean up, report News.Zdnet.co.uk

A WORM called Witty has infected more than 50,000 computers over the weekend, thanks to a hole in BlackIce. Anti-virus software maker F-Secure said that the worm writes random data to the hard drive of an infected machine meaning it has to be reformatted. They didn’t say why they thought it would have infected so many computers.

Witty spreads through direct network connections and targets machines that are running unpatched versions of BlackICE.

The purveyors of BlackICE, ISS have fixed the flaw, which is found in the ICQ instant messaging protocol parsing routines of the ISS Protocol Analysis Module, inform theinquirer.net

Witty exploits a vulnerability in ICQ instant messaging protocol parsing routines of the ISS Protocol Analysis Module (PAM). According to Anti-virus vendor F-Secure, the size of the worm suggests that it has been hand-written in assembly programming language. The center of the code is a tight loop that generates UDP packets with source port 4000 and random destination port numbers (which might be constant for one recipient, but vary from target to target). The worm sends itself in UDP packets to 20,000 random IP addresses. After sending 20,000 packets Witty opens a random physical drive and performs certain operations. The complete details of the sequence of commands executed by the worm are however yet unclear and are being investigated. After this, the worm restarts spreading and keeps repeating this until the machine crashes or is rebooted, according to CXOtoday.com

As was already reported by Pravda.Ru Russian anti-virus "Kaspersky"s Laboratory" informed about detecting new Internet virus Worm.Win32.Bizex. The virus is being disseminated over ICQ program through ICQ and MS Internet Explorer vulnerable areas.

According to an earlier report by Pravda.Ru an attack of the Internet worm W32/MyDoom or Novarg has turned into a real epidemic. In the world of viruses more than 500 000 computers have been infected. 300 000 of them have been infected in Russia alone. Every tenth computer has been infected in Ukraine.

Visit to &to=http://english.pravda.ru/accidents/21/96/383/12144_virus.html' target=_blank>ICQ global network infected with virus