Full Disclosure mailing list archives
The witty worm
From: Gadi Evron <ge () egotistical reprehensible net>
Date: Sat, 20 Mar 2004 19:25:22 +0200
Information can be found at: http://www.f-secure.com/v-descs/witty.shtml According to that link the worm sends itself to 20K random IP's, It's also on a repeat though. To block it you need to block packets coming from UDP source port 4000.I'd suggest blocking local port 4000, as well. This thing spreads fast and many networks probably send it out now too.
Example Cisco rule which shows how fast this thing spreads (from a network ran by a friend of mine, Scott McHenry):
deny udp any eq 4000 any (65 matches)
<20 seconds>
deny udp any eq 4000 any (77 matches)
Gadi Evron.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- The witty worm Gadi Evron (Mar 20)
- Re: The witty worm Gadi Evron (Mar 20)
- Re: Re: The witty worm Paul Schmehl (Mar 20)
- Re: The witty worm Michal Zalewski (Mar 20)
- Re: The witty worm Gadi Evron (Mar 20)
- <Possible follow-ups>
- Re: The witty worm http-equiv () excite com (Mar 20)
- Re: Re: The witty worm Mike Barushok (Mar 20)
- Re: Re: The witty worm http-equiv () excite com (Mar 20)
- Re: Re: The witty worm Mike Barushok (Mar 20)
- Re: The witty worm Gadi Evron (Mar 20)