 |
|
 |
| Saturday, February 04, 2012
|
| Register Login |
 |
|
|
|
|
Users currently online
|
 |
|
|
|
 |
Membership: |
 |
Latest:
kevin |
 |
New Today:
0 |
 |
New Yesterday:
0 |
 |
Overall:
56 |
 |
People Online: |
 |
Visitors:
7 |
 |
Members:
0 |
 |
Total:
7 |
Online Now:
|
|
|
|
|
|
|
|
|
|
Welcome to the Viruswarning forums. All your original content has been ported to the new forums as well as new content and additional opportunities to interact with the authors of Viruswarn.com. You can always access old content at www.leedrake.com/forum . You may find some formatting was lost in the conversion and the older versions of the posts to be more readable....
But at least it's all here.
Enjoy!
|
|
|
|
|
|
Viruswarn Forums
|
|
|
|
|
| You are not authorized to post a reply.
|
|
| Author |
Messages |
|
Lee Drake
Posts:238
 |
| 03/23/2004 12:18 AM |
|
| What Is It?
A new worm, ironically called "Witty," uses an ICQ parsing vulnerability in certain ISS products to attack machines protected by un-patched versions of specific BlackICE personal firewalls. According to the ISS alert at http://xforce.iss.net/xforce/alerts/id/167 , "The Witty worm is destructive to the target system, and overwrites key hard disk sectors after sending out its payload. The junk data written to disk may impact system stability and cause a 'blue screen' to occur upon reboot." The ISS notice further states that the following products are affected.
BlackICE™ Agent for Server 3.6 ebz, ecb, ecd, ece, ecf
BlackICE PC Protection 3.6 cbz, ccb, ccd, ccf
BlackICE Server Protection 3.6 cbz, ccb, ccd, ccf
RealSecure® Network 7.0, XPU 22.4 and 22.10
RealSecure Server Sensor 7.0 XPU 22.4 and 22.10
RealSecure Desktop 7.0 ebf, ebj, ebk, ebl
RealSecure Desktop 3.6 ebz, ecb, ecd, ece, ecf
RealSecure Guard 3.6 ebz, ecb, ecd, ece, ecf
RealSecure Sentry 3.6 ebz, ecb, ecd, ece, ecf
No other ISS products, including their Proventia line, are affected. So far as we know, the impact of this worm is confined to networks protected by one of the above products. However, any machine in such a network is at risk.
What Should I Do?
If you have any of the affected products do the following immediately.
Disconnect the equipment from the Internet and from all computers to which it is connected by removing the Ethernet cables. This is the cable that goes to your cable or DSL modem. Leave the device disconnected from the Internet until it has been patched. Unless you intend to use one of the scanning tools mentioned below, power off the device.
Using a different computer, review the ISS alert at http://xforce.iss.net/xforce/alerts/id/166 for information about how to update the firmware in your BlackICE firewall and http://xforce.iss.net/xforce/alerts/id/167 for information about infection detection for your specific product.
If you have reason to believe that you have been infected, do the following.
Data on infected systems may be damaged. ISS X-Force recommends that systems that are infected are removed from the network, and powered down.
ISS X-Force further recommends that data recovery techniques are employed to assess damage and to recover data.
ISS X-Force recommends that affected individuals investigate one or more of the following data recovery techniques:
1. Launch the Windows XP or Windows 2000 recovery console:
http://support.microsoft.com/default.aspx?scid=kb;en-us;307654
http://support.microsoft.com/default.aspx?scid=kb;en-us;268106
2. Create a parallel install of the operating system into something other then the default directory to gain access critical files:
http://support.microsoft.com/?id=259003
3. Run chkdsk /f on the affected volumes to see if it will repair the corruption
4. Restore the system from the most recent backup if chkdsk is not able to repair the corruption.
Because of the method of infection, we urge you in the strongest possible terms to seek qualified professional assistance if you are or believe you are infected.
Details
According to the ISS bulletin, the worm behaves as follows.
The Witty worm exploits a stack-based overflow in ICQ response parsing in the Protocol Analysis Module (PAM) of ISS products. This is a part of the firmware in your firewall.
It is a memory-resident worm only, and contains no file payload. That is, the worm leaves no file on your computer and won't be detected by your virus scanner.
Witty propagates via UDP, sending UDP packets with a random destination and destination port. The source port of Witty traffic is 4000, and the source address is not spoofed. This means that, with a protocol analyzer or sniffer, you can find its local source. However, as most of you probably have at most one BlackIce firewall, it should be easy enough to locate and secure the affected equipment.
The worm will attempt to propagate immediately by sending copies of itself out across the wire to random targets. After sending a predefined
number of packets, Witty attempts to open a randomly determined hard drive and write 64k of data to a random location. This cycle repeats for every 20,000 packets sent.
Since the worm is entirely memory resident, the worm is killed by powering off all affected equipment - both firewalls and PCs.
References
ISS Security Alert # 166, "Vulnerability in ICQ Parsing in ISS Products" at http://xforce.iss.net/xforce/alerts/id/166.
ISS Security Alert # 167, "BlackICE Witty Worm Propagation" at http://xforce.iss.net/xforce/alerts/id/167.
"'Witty' Worm Exploits Hole in BlackIce Security Product," ComputerWorld, http://www.computerworld.com/securitytopics/security/story/0,10801,91528,00.html.
This concludes this VirusWarn notice.
David Gray
P6 Consulting
|
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
|
|
|
|
|
|