Flaw in Internet Security Systems products could allow worm to fill drives with junk data
vnunet.com, 22 Mar 2004
A new worm that damages data and crashes systems is spreading via a weakness in some Internet Security Systems (ISS) products.
The Witty A worm is similar to Blaster in that it spreads automatically without infected emails or attachments being opened. It is highly destructive and overwrites hard disk sectors with junk data.
Users of ISS' BlackICE Defender and RealSecure firewalls who have not patched their systems in the past week are at risk.
The company released a patch for the flaw last week and insisted that none of its managed service customers have been affected. The patch is available here.
ISS said in a statement: "The Witty worm is destructive to the target system, and overwrites key hard disk sectors after sending out its payload.
"The junk data written to disk may impact system stability and cause a 'blue screen' to occur on reboot.
"Data on infected systems may be damaged. ISS X-Force recommends that infected systems are removed from the network and powered down.
"ISS X-Force further recommends that data recovery techniques are employed to assess damage and recover data."
The worm enters through a flaw in ISS' ICQ instant messaging protocol routines. Once a machine is infected the worm spams itself to 20,000 random IP addresses via Port 4000.
"Blocking Port 4000 on all the clients and servers will stop this worm dead," said Marco Righetti, virus co-ordinator at Trend Micro.
"This is more of a problem for home users and small offices as most of the bigger offices won't allow ICQ traffic.
"This is not a script kiddie job; this person knows what they are doing."
"We reckon two per cent of our systems are affected," said Richard Millar, managing director at ISS UK.
"We've been aware of the flaw since 18 March and released a patch on 20 March. On the same day the attack was launched."
It is very hard for antivirus software to find the worm as it is memory-resident and does not copy itself to the hard drive nor alter registry settings.
So far about 50,000 systems have been affected, according to F-Secure. These include:
Security spending set to soar following unprecendented success of next-generation worms
Company that began life as internal IT project is sold to venture capital firms
This week we cover the continuing controversy surrounding the Orange T-Mobile deal
Using managed services to protect mobile data users from the latest security threats
Counting the cost of data security: the benefits of secured mobile services
Shifting Disaster Recovery targets with SharePoint and SQL server configurations
Using a hostbased recovery system for mission-critical systems
Keep up to date with the latest products, services and technologies from the world's leading IT companies; IThound.com brings you over 6,000 white papers, case studies and analyst reports.
Replacement warning functioning normally, claims software giant
Annual initiative warns of phishing, ID theft and social network...
Do you agree?
Have your say on this article