Notices
NSC-040315: W32.Witty.Worm Attacking Black Ice Internet Firewall
A new wormed named W32.Witty.Worm has been spreading across campus. W32.Witty.Worm utilizes a Vulnerability in ICQ Parsing by ISS Products. The worm sends itself out to multiple IP addresses on source port 4000/UDP and a random destination port, this traffic typically saturates the local network connections. This saturation has been the cause of a number of network problems in the last 24 hours across campus. In order to keep the overall network operational ITS has had to disabled the infected machines. The following products are vulnerable: RealSecure® Network 7.0, XPU 22.11 and before RealSecure Server Sensor 7.0 XPU 22.11 and before RealSecure Server Sensor 6.5 for Windows SR 3.10 and before Proventia™ A Series XPU 22.11 and before Proventia G Series XPU 22.11 and before Proventia M Series XPU 1.9 and before RealSecure Desktop 7.0 ebl and before RealSecure Desktop 3.6 ecf and before RealSecure Guard 3.6 ecf and before RealSecure Sentry 3.6 ecf and before BlackICE™ Agent for Server 3.6 ecf and before BlackICE PC Protection 3.6 ccf and before BlackICE Server Protection 3.6 ccf and before The worm is a memory-only based threat and does not create files on the system, but has a payload that overwrites random sectors of a random hard disk. NOTE: If your system is not running a vulnerable version of one of the products affected, then you will not be infected. If you are running a product that has the vulnerability used by the worm, we recommend that you apply the relevant patch as soon as possible. Patches for this vulnerability are available at http://blackice.iss.net/update_center/index.php. Additional Information can be found here. ISS Black Ice downloads:http://blackice.iss.net/update_center/index.php Vulnerability Information:http://xforce.iss.net/xforce/alerts/id/166 F-Secure Writeup:http://www.f-secure.com/v-descs/witty.shtml Symantec:http://securityresponse.symantec.com/avcenter/venc/data/w32.witty.worm.html