[34197] in bugtraq
The witty worm
daemon@ATHENA.MIT.EDU (Gadi Evron)
Sat Mar 20 16:52:57 2004
Message-ID: <405C7E82.1050608@egotistical.reprehensible.net>
Date: Sat, 20 Mar 2004 19:25:22 +0200
From: Gadi Evron <ge@egotistical.reprehensible.net>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Cc: full-disclosure@lists.netsys.com
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Information can be found at: http://www.f-secure.com/v-descs/witty.shtml
According to that link the worm sends itself to 20K random IP's,
It's also on a repeat though.
To block it you need to block packets coming from UDP source port 4000.
I'd suggest blocking local port 4000, as well. This thing spreads fast
and many networks probably send it out now too.
Example Cisco rule which shows how fast this thing spreads (from a
network ran by a friend of mine, Scott McHenry):
deny udp any eq 4000 any (65 matches)
<20 seconds>
deny udp any eq 4000 any (77 matches)
Gadi Evron.
