Slashdot Mirror

← Back to Stories (view on slashdot.org)

"Witty" Worm Wrecks Computers

Posted by timothy on from the your-ruse-your-clever-trick dept.

An anonymous reader writes "A new Internet worm wriggled across the entire Internet in the span of a few hours Saturday morning to all computers running several recent versions of firewall software from Internet Security Systems, including BlackICE and RealSecure, according to this story at Washingtonpost.com. The flaw that Witty exploited was discovered Wednesday by eEye Digital Security. The worm overwrites data on the first few sectors of the victim's hard drive, making the machine virtually ubootable and potentially destroying much - if not all - of the victim's data." Update: 03/21 02:18 GMT by T : Reader Jeff Horning points out that eEye actually disovered the worm on the 8th of March, and came up with a fix the next day.

2 of 587 comments (clear)

  1. This is an interesting one, almost biological by myowntrueself · · Score: 5, Informative

    From LURHQ

    "This worm has been found to be highly malicious, slowly destroying the systems it infects. Because of this activity, at some point this worm will cease to exist - unfortunately it will take all the affected systems with it. Rather than simply executing a "format C:" or similar destructive command, the worm slowly corrupts the filesystem while it continues to spread."

    Like many biological viruses it slowly erodes the health of its host, permitting the host to go on infecting new hosts for some time. How long exactly appears to be unpredictable.

    It doesn't kill its host outright immediately and it doesn't allow its host to continue indefinitely. Its like a true disease, a terminal illness for computers (pun not intended).

    I think this will be with us for a while, particularly when mutations start showing up.

    --
    In the free world the media isn't government run; the government is media run.
  2. Incorrect analysis? by James_G · · Score: 5, Informative
    According to this analysys, it does a lot more than corrupt the first few sectors of the drive:

    The worm's functionality is as follows:

    1) Generates a random IP address
    2) Sends the worm payload
    3) Repeats steps 1-2 20,000 times
    4) Opens a random PHYSICALDRIVE from 0-7, which allows raw hard disk access
    5) Seeks to a random point on the disk
    6) Writes 65K of data from the beginning of the vulnerable DLL to the disk
    7) Closes the disk
    8) Starts the process over from step 1

    (emphasis mine)