McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

-- Update March 21st 2004 04:25 PST --
This threat has been deemed Low-Profiled due to media attention at the following site:
http://news.netcraft.com/archives/2004/03/20/
witty_worm_targets_black_ice_disables_machines.html
--
Users not running a vulnerable BlackIce product cannot be infected by this worm.    W32/Witty.worm is a network worm that tries to exploit the ISS/PAM ICQ module  vulnerability (see ISS advisory ) of BlackIce products.

Rebooting an infected system removes the virus from memory and the virus will not be reloaded on system startup. Note, however, that a system running a vulnerable BlackIce product may get reinfected without updating to the latest version or removing the product from the system.

This worm spreads using network traffic only. There are no emails sent or files dropped on the machine. The user does not have to run anything and can't see anything of the infection process.

Note: As no files are dropped on the machine by the worm, detection in the specified DATs and later will be detection for the worm running in memory when the machine is infected.  Detection requires VirusScan 7+, running an On Demand Scan, and scanning memory.

When a malicious packet hits a vulnerable machine, the worm will get executed in memory and start to spread from the new victim.

The worm first sends out 20,000 packets from UDP port 4000 to random IP addresses and random ports. Then it writes 64kb of the exploited DLL to a random position on the harddrive. After that, it starts spreading again and loops.

The payload, writing 65K byte to a random position on the disk, will result in corrupted files. The longer a machine is infected, the more parts of the harddrive will get damaged! Tests show that a machine infected for 10 minutes was not able to reboot because of damaged system files.

Damaged files need to be replaced from a backup - they can't be cleaned as they have been overwritten.

Version 'BlackIce 3.6.ccf ' is affected by this worm, the latest available version (BlackIce 3.6.ccg) as well as version 3.5 and prior are not.

A patch for BlackIce products is available at:
http://blackice.iss.net/update_center/index.php

Symptoms

• Outgoing UDP network traffic from port 4000 to random IP addresses.
• Corrupted files on disk.
• System reacts very slowly.
• BLACKD.EXE has about 99% CPU usage.
• System may become unstable or unable to boot.

Method of Infection

The worm infects machines by exploiting a vulnerability in some BlackIce products.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

-- Update March 21st 2004 04:25 PST --
This threat has been deemed Low-Profiled due to media attention at the following site:
http://news.netcraft.com/archives/2004/03/20/
witty_worm_targets_black_ice_disables_machines.html
--
Users not running a vulnerable BlackIce product cannot be infected by this worm.    W32/Witty.worm is a network worm that tries to exploit the ISS/PAM ICQ module  vulnerability (see ISS advisory ) of BlackIce products.

Rebooting an infected system removes the virus from memory and the virus will not be reloaded on system startup. Note, however, that a system running a vulnerable BlackIce product may get reinfected without updating to the latest version or removing the product from the system.

This worm spreads using network traffic only. There are no emails sent or files dropped on the machine. The user does not have to run anything and can't see anything of the infection process.

Note: As no files are dropped on the machine by the worm, detection in the specified DATs and later will be detection for the worm running in memory when the machine is infected.  Detection requires VirusScan 7+, running an On Demand Scan, and scanning memory.

When a malicious packet hits a vulnerable machine, the worm will get executed in memory and start to spread from the new victim.

The worm first sends out 20,000 packets from UDP port 4000 to random IP addresses and random ports. Then it writes 64kb of the exploited DLL to a random position on the harddrive. After that, it starts spreading again and loops.

The payload, writing 65K byte to a random position on the disk, will result in corrupted files. The longer a machine is infected, the more parts of the harddrive will get damaged! Tests show that a machine infected for 10 minutes was not able to reboot because of damaged system files.

Damaged files need to be replaced from a backup - they can't be cleaned as they have been overwritten.

Version 'BlackIce 3.6.ccf ' is affected by this worm, the latest available version (BlackIce 3.6.ccg) as well as version 3.5 and prior are not.

A patch for BlackIce products is available at:
http://blackice.iss.net/update_center/index.php

Symptoms

Symptoms -

• Outgoing UDP network traffic from port 4000 to random IP addresses.
• Corrupted files on disk.
• System reacts very slowly.
• BLACKD.EXE has about 99% CPU usage.
• System may become unstable or unable to boot.

Method of Infection

Method of Infection -

The worm infects machines by exploiting a vulnerability in some BlackIce products.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A