Witty Worm

Last updated: October 7, 2011

What Does Witty Worm Mean?

Witty Worm is a type of computer malware that attacks security systems created by Internet Security Systems (ISS) (now known as IBM ISS). The Witty Worm bypasses firewalls by sending itself to random IP addresses with random destination ports. Witty Worm has a destructive payload that erases data and creates potentially high levels of destruction. The Worm is less than 700 bytes in length.

The Witty Worm is a milestone in malware history because it represented the first malware instance known for targeting a particular set of security products. The Witty Worm is also the first worm known for destroying its hosts.


Techopedia Explains Witty Worm

In 2004, the Witty Worm emerged as a well-written and destructive virus that infected and damaged 12,000 systems within a span of only 45 minutes. The Witty Worm was released from a bot network of 100 infected machines - a previously unknown methodology.

The Witty Worm infected computers running the following products:

  • BlackICE Agent for Server 3.6 ebz, ecd, ece, ecf
  • BlackICE PC Protection 3.6 cbz, ccd, ccf
  • BlackICE Server Protection 3.6 cbz, ccd, ccf
  • RealSecure Network 7.0, XPU 22.4 and 22.10
  • RealSecure Server Sensor 7.0 XPU 22.4 and 22.10
  • RealSecure Desktop 7.0 ebf, ebj, ebk, ebl
  • RealSecure Desktop 3.6 ebz, ecd, ece, ecf
  • RealSecure Guard 3.6 ebz, ecd, ece, ecf
  • RealSecure Sentry 3.6 ebz, ecd, ece, ecf

The Worm masquerades as a valid ICQ packet and uses User Datagram Protocol (UDP) port 4000 to send itself to multiple IP addresses. As soon as the Witty Worm infects a system by taking advantage of ISS software vulnerabilities, it tries to infect other systems in the same manner. Thus, rebooting infected systems is not recommended, and these systems should be removed from a network to prevent propagation.

The Witty Worm can be removed by downloading ISS security patches. Because the Worm attacks computer memory, a data recovery system to restore full functionality is required.


Share this Term

  • Facebook
  • LinkedIn
  • Twitter

Related Reading



Trending Articles

Go back to top