"Witty" worm

From: Bill Case (Bill46413832187_at_Hotmail.com)
Date: 03/23/04

Date: Tue, 23 Mar 2004 15:53:33 GMT

A quickly spreading worm that emerged over the weekend damaged computers at
several universities and at least one Web hosting company, according to the
first wave of damage reports that began surfacing on Monday as system
administrators returned to work.
The so-called "Witty" worm spread rapidly throughout the Internet early
Saturday morning, infecting as many as 30,000 computers before subsiding,
said Johannes Ullrich, chief technology officer for the SANS Internet Storm

The worm disrupted service for thousands of customers of Webhosting.net, a
Miami-based Web hosting company. Andrew Martin, the company's chief
information officer, said the worm completely destroyed four of the
company's Windows servers, shuttering more than 1,000 Web sites for most of
the weekend. The company is in the process of bringing customers back

"Those computers were pretty much hosed," Martin said. "Luckily we were able
to retrieve the data that was on them from backup servers, but the infected
computers had to be rebuilt from scratch."

The worm targeted computers running one of two firewall software programs in
conjunction with Microsoft's Windows operating system, taking advantage of a
security flaw in the firewall applications that was uncovered earlier this
month. Once it infects a computer, it destroys files and often makes it
impossible for people to restart their computers. It also tries to use the
computer to look for new infection targets, but as the number of affected
computers shut down, the worm's spread subsided.

Unlike many recent worms that arrive as e-mail attachments, the Witty worm
migrates without any action on the part of the user. It gets the name
"Witty" from a line of code in the worm that says, "insert witty message

The worm does its work without creating new files on infected PCs, so few
antivirus products would have detected it, Ullrich said.

It also writes random data onto the computer hard drives, often causing them
to fail. The worm can overwrite most data on the hard drive within about 20
minutes. Technologically sophisticated computer users could recover that
data, but most users would have to go through the complicated process of
reinstalling the operating system. In some cases, the worm can damage
computers beyond all repair.

The firewalls were developed by Atlanta-based Internet Security Systems
Inc., which estimated that 16,000 computers were infected during the

Chris Rouland, vice president of ISS's X-Force research and development
division, said the number could have been higher if the worm struck during
the work week when most vulnerable computers were turned on.

Relevant Pages

  • Re: REMINDER: There Is A Mac Virus In The Wild
    ... Much of the effect on Windows is ... You asked about infecting more than 1000 computers earlier, ... This Internet worm propagated by exploiting a ... ...
  • Re: A Way to Attack Nuclear Plants: Blame Esther
    ... Iran Says It Arrested Computer Worm Suspects ... connection with a damaging worm that has infected computers in its ... had infected computers in its nuclear operations. ...
  • OT This computer worm is no April Fools joke
    ... This computer worm is no April Fool's joke ... Personal computers and laptops already infected with Conficker could ... and Windows Server 2008. ...
  • File Destroying Worm Not Causing Much Damage
    ... By ANICK JESDANUN, AP Internet Writer ... One Italian city's government shut down its computers as a precaution ... Sutra" worm. ... Although the worm tries to disable anti-virus software, ...
  • Re: A code red that could bring down the net?
    ... He claimed it "got away from him" and he didn't intend it to get away. ... There were a number of screw-ups in the code of the RTM Worm. ... > worm before sending it onto the arpanet. ... > would then repeat these actions in an infinite loop to other computers on ...