Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

'Witty' Worm Wrecks Computers

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Virus, Worm &Trojan Alerts
View previous topic :: View next topic  
Author Message
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Mon Mar 22, 2004 9:53 am    Post subject: 'Witty' Worm Wrecks Computers Reply with quote

'Witty' Worm Wrecks Computers
The worm targets Windows computers that run specific security firewalls.

_____'Witty' Worm Patch_____

By Brian Krebs
washingtonpost.com Staff Writer
Sunday, March 21, 2004; 2:17 PM


A quickly spreading Internet worm destroyed or damaged tens of thousands of personal computers worldwide Saturday morning by exploiting a security flaw in a firewall program designed to protect PCs from online threats, computer experts said.

The "Witty" worm writes random data onto the hard drives of computers equipped with the Black Ice and Real Secure Internet firewall products, causing the drives to fail and making it impossible to restart the PCs. Unlike many recent worms that arrive as e-mail attachments, it spreads automatically to vulnerable computers without any action on the part of the user.

At least 50,000 computers have been infected so far, according to Reston, Va.-based computer security firm iDefense and the Bethesda, Md.-based SANS Institute.

The firewalls were developed by Atlanta-based Internet Security Systems. Chris Rouland, vice president of the company's X-Force research and development division, said that as many as 32,000 corporate computers could be infected. The company does not know how many home computers are infected. ISS released a patch on Wednesday, and Saturday published a detailed writeup of the affected products.

Most infected computers will have to be rebuilt from scratch unless their owners instead decide to buy new ones, said Ken Dunham, a computer security expert at iDefense.

"The thing looks like it will corrupt or crash most drives enough so that reinstallation is going to be required," he said. "This is a very destructive worm."

Officials at the Department of Homeland Security, which is in charge of the government's cybersecurity efforts, were unavailable for comment.

Internet worms, viruses and other malignant software often install software or open "back doors" that allow hackers to control infected computers. That often gives them access to private data that people keep on their computers, and allows them to use those computers to send out e-mail spam that cannot be traced back to its real owner. The Witty worm is different and in some respects more destructive because it renders the computer useless.

Johannes Ullrich, chief technology officer for the SANS Internet Storm Center, said that the worm does not create files on infected computers so most antivirus software will not detect it.

Security vulnerability research firm eEye Digital Security identified the flaw on March 8. The Aliso Viejo, Calif.-based company discovered that it could trick some versions of Black Ice and Real Secure into processing Internet traffic that would allow attackers to transfer dangerous data to vulnerable computers.

The Witty worm gets its moniker from a message buried within its code that says: "insert witty message here." That comes just before the code that overwrites the infected hard drives.

Joe Stewart, a senior security researcher at Chicago-based security services company Lurhq, said he expects the worm to die out over the next few hours as vulnerable computers quickly become useless hosts.

"With all these hard drive problems, the infection rates are going to shrink pretty quickly as all these affected machines grind themselves to a halt," Stewart said.

Like a pathogen that feeds on its host in order to spread, the Witty worm corrupts the hard drive as it tries to take over other vulnerable machines, Stewart wrote in his analysis of the worm. "This worm has been found to be highly malicious, slowly destroying the systems it infects. Because of this activity, at some point this worm will cease to exist -- unfortunately it will take all the affected systems with it."

http://securityresponse.symantec.com/avcenter/venc/data/w32.witty.worm.html
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Mon Mar 22, 2004 10:59 pm    Post subject: Reply with quote

Dear Trend Micro customer:

As of March 22, 2004 7:05 AM PST, TrendLabs has declared a Yellow Alert to
control the spread of WORM_NETSKY.P.
TrendLabs has received numerous infection reports of this malware spreading in
the US and Europe.

This new NETSKY variant propagates via email using its own Simple Mail Transfer
Protocol (SMTP) engine.

The email that it sends out has varying subjects, message bodies, and attachment
file names. It gathers email addresses from files with certain extension names.

It also has the ability to propagate via network shares by dropping copies of
itself to shared folders of the affected system.

It exploits a known vulnerability in the Internet Explorer involving the
incorrect MIME header vulnerability (MS01-020) to execute the malware when the
email is read. More information on this vulnerability is available at:

http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx


TrendLabs has released the following EPS deliverables:

TMCM Outbreak Prevention Policy 99 (ATA: 7:34 AM PST)
Official Pattern Release 832 (ATA: 7:22 AM PST)
Damage Cleanup Template 296 (ETA 1 hour 45 minutes)
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Tue Mar 23, 2004 9:50 pm    Post subject: Reply with quote

What is W32.Netsky.P@mm and how does it affect me?
W32.Netsky.P@mm, also known as W32.Netsky.Q@mm, is yet another varient of the Netsky worm, a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning hard
drives and/or mapped drives. The worm also tries to spread through various file-sharing programs by copying itself into various shared folders.

The "From" line of the email is spoofed, and its "Subject" line and
message body vary.

The attachment name varies with .exe, .pif, .scr, or .zip file extension.

Also, this threat is compressed with FSG.

Notes:
- Symantec Consumer products that support Worm Blocking functionality
automatically detect this threat as it attempts to spread.

- The worm's executable has a static MD5 hash value of 0x0A9FFA57D65083
C92E0D3D69B00F2F0D.m.

- Rapid release definitions dated March 21, 2004 or March 22, 2004 may
detect this threat as W32.Netsky.Q@mm.
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Virus, Worm &Trojan Alerts All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group