From: Bill Case (Bill46413832187_at_Hotmail.com)
Date: Tue, 23 Mar 2004 15:53:33 GMT
A quickly spreading worm that emerged over the weekend damaged computers at
several universities and at least one Web hosting company, according to the
first wave of damage reports that began surfacing on Monday as system
administrators returned to work.
The so-called "Witty" worm spread rapidly throughout the Internet early
Saturday morning, infecting as many as 30,000 computers before subsiding,
said Johannes Ullrich, chief technology officer for the SANS Internet Storm
The worm disrupted service for thousands of customers of Webhosting.net, a
Miami-based Web hosting company. Andrew Martin, the company's chief
information officer, said the worm completely destroyed four of the
company's Windows servers, shuttering more than 1,000 Web sites for most of
the weekend. The company is in the process of bringing customers back
"Those computers were pretty much hosed," Martin said. "Luckily we were able
to retrieve the data that was on them from backup servers, but the infected
computers had to be rebuilt from scratch."
The worm targeted computers running one of two firewall software programs in
conjunction with Microsoft's Windows operating system, taking advantage of a
security flaw in the firewall applications that was uncovered earlier this
month. Once it infects a computer, it destroys files and often makes it
impossible for people to restart their computers. It also tries to use the
computer to look for new infection targets, but as the number of affected
computers shut down, the worm's spread subsided.
Unlike many recent worms that arrive as e-mail attachments, the Witty worm
migrates without any action on the part of the user. It gets the name
"Witty" from a line of code in the worm that says, "insert witty message
The worm does its work without creating new files on infected PCs, so few
antivirus products would have detected it, Ullrich said.
It also writes random data onto the computer hard drives, often causing them
to fail. The worm can overwrite most data on the hard drive within about 20
minutes. Technologically sophisticated computer users could recover that
data, but most users would have to go through the complicated process of
reinstalling the operating system. In some cases, the worm can damage
computers beyond all repair.
The firewalls were developed by Atlanta-based Internet Security Systems
Inc., which estimated that 16,000 computers were infected during the
Chris Rouland, vice president of ISS's X-Force research and development
division, said the number could have been higher if the worm struck during
the work week when most vulnerable computers were turned on.