UDP port 4000 traffic inbound and outbound is now being blocked.
On Sat, 20 Mar 2004, Stefanie Ploof wrote:
> Because I can't say it better myself, I'll quote Symantec:
> "W32.Witty.Worm utilizes a Vulnerability in ICQ Parsing by ISS Products.
> The worm sends itself out to multiple IP addresses on source port 4000/UDP
> and a random destination port. The worm is a memory-only based threat and
> does not create files on the system.
> The worm has a payload of overwriting random sectors of a random hard
> If you are running a product that has the vulnerability used by the worm,
> we recommend that you apply the relevant patch as soon as possible.
> Patches for this vulnerability are available at
> Symantec Security Response recommends that administrators block inbound
> and outbound traffic to their networks on source port 4000/UDP. Please
> note that the destination port for traffic generated by the worm is
> selected randomly."
> Slashdot.org specifically says that BlackICE and RealSecure firewalls are
> at risk. Once a system with these firewalls is infected and the random
> sectors are overwritten the only course of action is to reimage the
> computer. I have requested that Network Services block inbound and
> outbound traffice on UDP port 4000, but please take precaution in the
> There are no virus definitions to protect against this threat. To remove:
> 1. Obtain the patch for the vulnerability from:
> 2. Disconnect the affected system from the network.
> 3. Reboot the system to remove the threat from memory.
> 4. Apply the patch.
> 5. Reconnect to the network.
> Questions or problems regarding Witty should be directed to CIT Helpline
> at [log in to unmask] or 6-2604.