Win32.Worm.Witty.A

( W32.Witty.Worm (Symantec) )

SYMPTOMS:

The worm remains resident only in computer memory.
Increased activity on port 4000 with many diffrent IPs.
On medium-long term visible data corruption on hard-disk(s).

TECHNICAL DESCRIPTION:

The worm uses a vulnerability found in ISS Products which incrrectly handle ICQ Parsing requests.
When the exploit successes the worm initializes a few internal variables used next for multiplication.
After that it sends itself to 20000 random IPs on port 4000 UDP to expoit possible victims.
As a payload the malware overwrites data with garbage on the first 8 physical disks, randomly chosen, at random positions.
Finally the worm cycles infinetely from the point where it sends itself.

Removal instructions:

Restart computer and update affected products.

ANALYZED BY:

Ciubotariu Mircea BitDefender Virus Researcher