<<< Date Index >>>     <<< Thread Index >>>

The witty worm



Information can be found at: http://www.f-secure.com/v-descs/witty.shtml

According to that link the worm sends itself to 20K random IP's,

It's also on a repeat though.

To block it you need to block packets coming from UDP source port 4000.

I'd suggest blocking local port 4000, as well. This thing spreads fast and many networks probably send it out now too.

Example Cisco rule which shows how fast this thing spreads (from a network ran by a friend of mine, Scott McHenry):

deny udp any eq 4000 any (65 matches)
<20 seconds>
deny udp any eq 4000 any (77 matches)

        Gadi Evron.