New Worm targets BlackICE vulnerability

There seems to be a new worm which tries to exploit a vulnerability in
ICQ parsing in ISS products like BlackICE. A patch for that
vulnerability is available ...

More info:
http://isc.sans.org/diary.html
http://xforce.iss.net/xforce/alerts/id/166

That worm knocked on the door of my computer several times now ...

Regards,
Axel Pettinger

On that special day, Axel Pettinger, (api@epost.de) said...

> There seems to be a new worm which tries to exploit a vulnerability in
> ICQ parsing in ISS products like BlackICE.

That was *fast* (tm). The advisory about this specific ISS products flaw
came out only yesterday or the day before.

http://www.eeye.com/html/Research/A...AD20040318.html
http://xforce.iss.net/xforce/alerts/id/166 (as mentioned by Axel)

Don't forget, there is an older vulnerability, too in

http://www.eeye.com/html/Research/A...AD20040226.html

> A patch for that
> vulnerability is available ...
>
> More info:
> http://isc.sans.org/diary.html
>
> That worm knocked on the door of my computer several times now ...

Neat. Somehow I have a feeling, that someone knew about that
vulnerability even before the advisory came out; or how did the malware
come into existence that early? Was it made with a trojan construction
kit?


Gabriele Neukam

Gabriele.Spamfighter.Neukam@t-online.de


--
Ah, Information. A good, too valuable these days, to give it away, just
so, at no cost.

On Sat, 20 Mar 2004 10:00:03 +0100, Axel Pettinger <api@epost.de>
wrote:

>There seems to be a new worm which tries to exploit a vulnerability in
>ICQ parsing in ISS products like BlackICE. A patch for that
>vulnerability is available ...
>
>More info:
>http://isc.sans.org/diary.html
>http://xforce.iss.net/xforce/alerts/id/166
>
>That worm knocked on the door of my computer several times now ...

It's been kissing my router here too.

--
Clay mania dot com

I guess Real Secure -- is NOT real secure !

Dave :-)



"Axel Pettinger" <api@epost.de> wrote in message news:405C0813.FC2BB882@epost.de...
| There seems to be a new worm which tries to exploit a vulnerability in
| ICQ parsing in ISS products like BlackICE. A patch for that
| vulnerability is available ...
|
| More info:
| http://isc.sans.org/diary.html
| http://xforce.iss.net/xforce/alerts/id/166
|
| That worm knocked on the door of my computer several times now ...
|
| Regards,
| Axel Pettinger

On Sat, 20 Mar 2004 10:00:03 +0100, Axel Pettinger <api@epost.de>
wrote:

>There seems to be a new worm which tries to exploit a vulnerability in
>ICQ parsing in ISS products like BlackICE. A patch for that
>vulnerability is available ...
>
>More info:
>http://isc.sans.org/diary.html
>http://xforce.iss.net/xforce/alerts/id/166
>
>That worm knocked on the door of my computer several times now ...
>
>Regards,
>Axel Pettinger
Yes, they seems to call it "Witty"

http://www.f-secure.com/v-descs/witty.shtml

Jari

Axel Pettinger wrote:
>
> There seems to be a new worm which tries to exploit a vulnerability in
> ICQ parsing in ISS products like BlackICE. A patch for that
> vulnerability is available ...
>
> More info:
> http://isc.sans.org/diary.html

The ISC page was updated ..., re-read ...

> http://xforce.iss.net/xforce/alerts/id/166
>
> That worm knocked on the door of my computer several times now ...

According to Symantec "Witty" has a destructive payload:

"Attempts to overwrite the first 128 sectors of one random physical hard
drive with data from memory."

http://www.sarc.com/avcenter/venc/d...witty.worm.html

Other descriptions of the Witty worm:
http://www.Europe.F-Secure.com/v-descs/witty.shtml
http://www.trendmicro.com/vinfo/vir...me=WORM_WITTY.A

One could get the impression that most anti virus companies are sleeping
- just because Witty is worm which can only be found in memory ... :/

This worm exists probably since almost 14 hours and its still hard to
find a good description about it on their sites ...

Regards,
Axel Pettinger

"David H. Lipman" wrote:
>
> "Axel Pettinger" <api@epost.de> wrote in message
> news:405C0813.FC2BB882@epost.de...
> | There seems to be a new worm which tries to exploit a vulnerability
> | in ICQ parsing in ISS products like BlackICE. A patch for that
> | vulnerability is available ...
> |
> | More info:
> | http://isc.sans.org/diary.html
> | http://xforce.iss.net/xforce/alerts/id/166
> |
> | That worm knocked on the door of my computer several times now ...
>
> I guess Real Secure -- is NOT real secure !
>
> Dave :-)

Maybe that should be the message of that worm - who knows? After all it
is obviously a destructive one. Without that payload I'd have said that
is a (more or less) harmless warning for users to patch their systems
before trojans (or hackers) compromise them using that vulnerability.
But now ... :/

ISS's own page about the Witty worm and the vulnerable product versions
(the site is different from the one mentioned above):

http://xforce.iss.net/xforce/alerts/id/167

McAfee just started their analysis of the worm:
http://vil.nai.com/vil/content/v_101118.htm

Regards,
Axel Pettinger

"Axel Pettinger" <api@epost.de> wrote in message
news:405C910A.101D700B@epost.de...
> Axel Pettinger wrote:
> >
> > There seems to be a new worm which tries to exploit a
vulnerability in
> > ICQ parsing in ISS products like BlackICE. A patch for
that
> > vulnerability is available ...
> >
> > More info:
> > http://isc.sans.org/diary.html
>
> The ISC page was updated ..., re-read ...
>
> > http://xforce.iss.net/xforce/alerts/id/166
> >
> > That worm knocked on the door of my computer several
times now ...
>
> According to Symantec "Witty" has a destructive payload:
> "Attempts to overwrite the first 128 sectors of one random
physical >drive with data from memory."

Note: if the target is a hard drive and the intital
partition is FAT32, then it will be 100% recoverable.
Gibson's FIXCIH ought to be enough.
If NTFS the damage will be worse. It will need restoring the
MBR and the partition boot sector, then a repair re-install.
Some NT4 and W2000 systems may need a fresh install and data
restored from backup. If no backup exists, then a file
recovery tool should be able to recover very nearly the
entire file system.

>
http://www.sarc.com/avcenter/venc/d...witty.worm.html
>
> Other descriptions of the Witty worm:
> http://www.Europe.F-Secure.com/v-descs/witty.shtml
>
http://www.trendmicro.com/vinfo/vir...me=WORM_WITTY.A
>
> One could get the impression that most anti virus
companies are sleeping
> - just because Witty is worm which can only be found in
memory ... :/
>
> This worm exists probably since almost 14 hours and its
still hard to
> find a good description about it on their sites ...
>
> Regards,
> Axel Pettinger

Bob

--
Robert Green
BootMaster Partition Recovery
http://bootmaster.filerecovery.biz
bob[dot]green[at]filerecovery[dot]biz

> Note: if the target is a hard drive and the intital
> partition is FAT32, then it will be 100% recoverable.
> Gibson's FIXCIH ought to be enough.
> If NTFS the damage will be worse. It will need restoring the
> MBR and the partition boot sector, then a repair re-install.
> Some NT4 and W2000 systems may need a fresh install and data
> restored from backup. If no backup exists, then a file
> recovery tool should be able to recover very nearly the
> entire file system.

Okay, we can continue this on usenet like you said.. )

So, don't you think you are a tad optimistic?

Gadi Evron.

"Gadi Evron" <ge@linuxbox.org> wrote in message
news:newscache$9v9wuh$qd6$1@lnews.actcom.co.il...
> > Note: if the target is a hard drive and the intital
> > partition is FAT32, then it will be 100% recoverable.
> > Gibson's FIXCIH ought to be enough.
> > If NTFS the damage will be worse. It will need restoring
the
> > MBR and the partition boot sector, then a repair
re-install.
> > Some NT4 and W2000 systems may need a fresh install and
data
> > restored from backup. If no backup exists, then a file
> > recovery tool should be able to recover very nearly the
> > entire file system.
>
> Okay, we can continue this on usenet like you said.. )

Okay :-).

> So, don't you think you are a tad optimistic?

Not really. It is optimism based in experience. I do this
suff for a living these days ;-).

For FAT there are 5 steps to recover this kind of thing,
whether you use a tool like Gibson's or do it some other
way. (The CIH recovery tools, AFAIK, only work for FAT32,
but FAT16 can also be recovered in this case, though not in
the CIH case.)

1. Analyze the surviving part of the FAT to determine the
sectors per FAT and for FAT32 the start sector of the FAT.

2. Determine the size of the partition, ie, just locate the
end of it.

3. From the sectors per FAT and total sectors in partition
you can calculate the other BPB parameters and rebuild the
boot sector. You might also have to locate a FAT32 root
directory if it is not at cluster 2.

4. Rebuild the partition table

5. Repair the FAT

For NTFS

1. Locate the backup boot sector (in last sector of the
partition) and use it to restore the primary boot sector.

2. Rebuild the partition table.

3. Do a repair reinstall

Naturally the above is a very general outline, and there are
a number of possible complications, but they are all capable
of solution.

So, I think I have justified my optimism :-).

BTW, for people interested in this kind of stuff I have a
few case studies posted here:
http://bootmaster.filerecovery.biz/appnotes.html. Case Study
5, a case involving CIH, is derived from an a.c.v. thread
of a few years ago.

> Gadi Evron.

Bob

--
Robert Green
BootMaster Partition Recovery
http://bootmaster.filerecovery.biz
bob[dot]green[at]filerecovery[dot]biz