The W32/Witty.worm Virus Attacks BlackIce Firewall Users

This information can be freely reproduced in any medium, as long as the information is unmodified.

The W32/Witty virus is a network worm that affects only PC computers running Windows -- and only those Windows users who also are using version 3.6.ccf (and prior 3.6 versions) of the BlackIce firewall software. Users of other versions of BlackIce (including the most recent version, 3.6.ccg, and version 3.5 and prior), Macintosh users, and users of other non-Windows operating systems cannot be afflicted by this worm.

Witty does not spread via email. While its "target audience" is relatively small, UMnet reports that Witty caused noticeable network disruption on campus. Because of that and the fact that Witty contains a destructive payload, we are releasing this alert.

Here are some relevant facts about W32/Witty:

• Witty was discovered 20 March 2004

• A patch (leaving our site) for the vulnerability in BlackIce's firewall was released 19 March 2004 -- the day before the appearance of the worm. Users of the BlackIce firewall are urged to update immediately, and to check frequently for upgrades to the product.

  If you use another firewall, you also should check for updates regularly and frequently: while W32/Witty may not be a threat to you, another worm may be. See ISS's security advisory (leaving our site) about the vulnerability exploited by W32/Witty: while BlackIce was targeted by Witty, other firewalls are vulnerable to the same attack (by other, as yet unknown worms) if they are not properly patched.

• Witty will be covered by the VirusScan 4340 drivers, scheduled for release on 24 March 2004. Note that since Witty does not write itself to disk, this should be "in memory" detection only.

• Witty will corrupt data on the hard drive by writing random garbage over sectors of the hard drive. This damage to the data is irreversible: the data that are overwritten must be restored from originals or backups. Note that since sectors are overwrittten instead of files, a reformat of the hard drive may well be necessary.

• Since Witty is a worm that lives in memory only, a reboot will remove it. Of course, until the vulnerability is removed by applying the patch above, the machine will be susceptible to repeated attacks.

• Witty may reveal itself by these symptoms:

  • Slow system reaction

  • BLACKD.EXE utilizing nearly all CPU

  • Corrupted files and, eventually, system instability. ["Eventually" probably means "a few minutes after infection", not hours or days.]

What should you do if:

• You KNOW that your machine has been compromised by W32/Witty?

  • Turn off your machine at once to minimize further damage

  • Disconnect the machine from the network.

  • On a machine NOT running BlackIce 3.6 versions 3.6.ccf and prior, download the patch from BlackIce's URL above; save this to CD/DVD, ZIPdisk, USB drive, or whatever -- it's over 6 MB. At this point, you may also want to get

    • the most recent version of your antivirus software -- U-M folks will find that here

      and

    • make a copy of the U-M Security CD, which contains several important Windows Update patches. This CD image is available to non-U-M folks as well as to the U-M community.

  • Make sure your computer is disconnected from the network; if possible, boot it from (preferably) an alternate hard disk or bootable CD/DVD, or (not preferred) an OS on another partition. Only as a last resort should you reboot from the compromised OS itself.

  • If you do not have a sufficiently current backup: Back up all your user data to removable media or another hard drive

  • Whether or not you have a sufficiently current backup: Test your most recent backup on another computer

  • If the backed up data are NOT ok, STOPyou may want to consider your data revovery options, but this will be both time consuming and expensive. See e.g., our data recovery page for some rudimentary information on data recovery.

  • Assuming that your backup is satisfactory, I recomend that you reformat your hard drive; at the very least, do a clean install of Windows. Note that a clean install may lead to grief later if you did not format first.

  • After Windows is installed, remain disconnected from the Internet!  Install in this order:

    1. Antivirus software

    2. Patches from the U-M Security CD or equivalent

    3. The updated firewall software

    4. Data from your backup -- be sure not to install the old firewall over the updated one!

  • Reconnect to the Internet

• You SUSPECT that your machine has been compromised by W32/Witty?

  • Disconnect from the Internet!

  • Reboot your computer

  • Check to see whether you are using BlackIce version 3.6.ccf or prior versions of BlackIce 3.6 -- if not, you're ok.

  • If you are using version 3.6 of BlackIce up to and including version 3.6.ccf, and you have noticed any irregularities, I recommend that you proceed as if your computer was known to have been compromised, per the instructions above. If you're not sure, remain disconnected from the Internet and monitor your system for erratic behavior; you also should get on another computer, as described above an upgrade to BlackIce 3.6.ccg (or switch to another firewall)

  • If you see nothing abnormal, hope for the best -- but it probably is prudent to make a backup NOW, and test it on another computer.

  • If everything still seems stable, install the upgrade to BlackIce 3.6.ccg or your other, new firewall

  • Reconnect to the Internet

For technical info on W32/Witty.worm, see e.g. Network Associates write-up on W32/Witty.worm (leaving our site) or F–Secure's write up (leaving our site).

The URL for this document is http://www.umich.edu/~virus-busters/witty.html

For virus or hoax info, please see our main page (http://www.umich.edu/~virus-busters/) or go to another reputable site, like The Urban Legends Reference Pages (leaving our site).

   -BPB