NEWS FROM THE LAB - Saturday, March 20, 2004

The Witty network worm outbreak Posted by Mikko @ 10:01 GMT

We've agreed to call this new network worm "Witty", based on the texts inside the worm ("insert witty message here"). For details, see the virus description.

No voi Witty

Do note that this is a completely automatic network worm. It never sends any emails, and it can infect vulnerable machines without any human help. It spreads as in-memory process, so infected machines can be cleaned temporarily by rebooting them.

This worm has similarities to the infamous Slammer worm, which used a hole in MSSQL systems to spread and caused massive amounts of network traffic in January 2003.

Slammer was 376 bytes in size while Witty is 909. So both are tiny. Both never hit the hard drive. Both use UDP packets to spread. And both were distributed around the same time. Slammer was released at 05:31 GMT on Saturday 25th of January 2003. The first captured infection of Witty we are aware of was at 04:45 today, Saturday the 20th of March 2004.

F-Secure's firewall applications automatically block this worm without any updates. They will also filter the UDP traffic generated by the worm.