The witty worm

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: The witty worm
From: Gadi Evron <ge@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Sat, 20 Mar 2004 19:25:22 +0200
Cc: full-disclosure@xxxxxxxxxxxxxxxx
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla Thunderbird 0.5 (Windows/20040207)

Information can be found at: http://www.f-secure.com/v-descs/witty.shtml

According to that link the worm sends itself to 20K random IP's,

It's also on a repeat though.

To block it you need to block packets coming from UDP source port 4000.

I'd suggest blocking local port 4000, as well. This thing spreads fastand many networks probably send it out now too.

Example Cisco rule which shows how fast this thing spreads (from anetwork ran by a friend of mine, Scott McHenry):


deny udp any eq 4000 any (65 matches)
<20 seconds>
deny udp any eq 4000 any (77 matches)

        Gadi Evron.

Follow-Ups:
- Re: The witty worm
  - From: Gadi Evron
- Re: The witty worm
  - From: Gadi Evron

Prev by Date: Re: The witty worm
Next by Date: Apache mod_disk_cache stores client authentication credentials on disk
Previous by thread: Concerning The Recent Invision power Board Issues
Next by thread: Re: The witty worm
Index(es):
- Date
- Thread