Witty worm overwrites hard disks

A new worm that damages data and crashes systems is spreading via a weakness in some Internet Security Systems (ISS) products.

The Witty A worm is similar to Blaster in that it spreads automatically without infected emails or attachments being opened. It is highly destructive and overwrites hard disk sectors with junk data.

Users of ISS' BlackICE Defender and RealSecure firewalls who have not patched their systems in the past week are at risk.

The company released a patch for the flaw last week and insisted that none of its managed service customers have been affected. The patch is available here.

ISS said in a statement: "The Witty worm is destructive to the target system, and overwrites key hard disk sectors after sending out its payload.

"The junk data written to disk may impact system stability and cause a 'blue screen' to occur on reboot.

"Data on infected systems may be damaged. ISS X-Force recommends that infected systems are removed from the network and powered down.

"ISS X-Force further recommends that data recovery techniques are employed to assess damage and recover data."

The worm enters through a flaw in ISS' ICQ instant messaging protocol routines. Once a machine is infected the worm spams itself to 20,000 random IP addresses via Port 4000.

"Blocking Port 4000 on all the clients and servers will stop this worm dead," said Marco Righetti, virus co-ordinator at Trend Micro.

"This is more of a problem for home users and small offices as most of the bigger offices won't allow ICQ traffic.

"This is not a script kiddie job; this person knows what they are doing."

"We reckon two per cent of our systems are affected," said Richard Millar, managing director at ISS UK.

"We've been aware of the flaw since 18 March and released a patch on 20 March. On the same day the attack was launched."

It is very hard for antivirus software to find the worm as it is memory-resident and does not copy itself to the hard drive nor alter registry settings.

So far about 50,000 systems have been affected, according to F-Secure. These include:

• BlackICE Agent for Server 3.6 ebz, ecd, ece, ecf
• BlackICE PC Protection 3.6 cbz, ccd, ccf
• BlackICE Server Protection 3.6 cbz, ccd, ccf
• RealSecure Network 7.0, XPU 22.4 and 22.10
• RealSecure Server Sensor 7.0 XPU 22.4 and 22.10
• RealSecure Desktop 7.0 ebf, ebj, ebk, ebl
• RealSecure Desktop 3.6 ebz, ecd, ece, ecf
• RealSecure Guard 3.6 ebz, ecd, ece, ecf
• RealSecure Sentry 3.6 ebz, ecd, ece, ecf