As reported last week, Internet security firm eEye had informed Internet Security Systems (ISS) of a vulnerability in its RealSecure and BlackICE firewall products on March 8, 2004. Now, two weeks later, the bug has been exploited, and it"s wreaking havoc with supposedly "protected" systems worldwide.
Dubbed the "Witty" worm by anti-virus software vendors, the worm spreads itself using UDP port 4000, and can possibly mutate this port number on demand. But unlike many other annoying-yet-benign worms, "Witty" is extremely damaging. It remains memory-resident, spreading itself to locally available machines, and systematically overwrites the master boot record, partition tables, and random sectors of any hard drives in the compromised system. Under most circumstances this will completely destroy any data on the current hard drive. Recovery is arduous, if it"s possible at all.
"Witty" got its name from a humorous message embedded in its attack packets, reading "insert.witty.message.here."