Because I can't say it better myself, I'll quote Symantec:

"W32.Witty.Worm utilizes a Vulnerability in ICQ Parsing by ISS Products.
The worm sends itself out to multiple IP addresses on source port 4000/UDP
and a random destination port. The worm is a memory-only based threat and
does not create files on the system.

The worm has a payload of overwriting random sectors of a random hard


If you are running a product that has the vulnerability used by the worm,
we recommend that you apply the relevant patch as soon as possible.
Patches for this vulnerability are available at

Symantec Security Response recommends that administrators block inbound
and outbound traffic to their networks on source port 4000/UDP. Please
note that the destination port for traffic generated by the worm is
selected randomly." specifically says that BlackICE and RealSecure firewalls are
at risk.  Once a system with these firewalls is infected and the random
sectors are overwritten the only course of action is to reimage the
computer.  I have requested that Network Services block inbound and
outbound traffice on UDP port 4000, but please take precaution in the

There are no virus definitions to protect against this threat.  To remove:

1. Obtain the patch for the vulnerability from:
2. Disconnect the affected system from the network.
3. Reboot the system to remove the threat from memory.
4. Apply the patch.
5. Reconnect to the network.

Questions or problems regarding Witty should be directed to CIT Helpline
at [log in to unmask] or 6-2604.