:strip_icc():strip_exif()/u/22219/images.jpg?f=community)
voornamelijk interesant voor mensen die producken van ISS (oa BlackIce )gebruiken.
http://securityresponse.s.../data/w32.witty.worm.html
W32.Witty.Worm utilizes a Vulnerability in ICQ Parsing by ISS Products. The worm sends itself out to multiple IP addresses on source port 4000/UDP and a random destination port. The worm is a memory-only based threat and does not create files on the system.
NOTE: If your system is not running a vulnerable version of one of the products affected, then you will not be infected.
If you are running a product that has the vulnerability used by the worm, we recommend that you apply the relevant patch as soon as possible. Patches for this vulnerability are available at http://blackice.iss.net/update_center/index.php
Symantec Security Response recommends that administrators block inbound and outbound traffic to their networks on source port 4000/UDP. Please note that the destination port for traffic generated by the worm is selected randomly.
Type: Worm
Infection Length: 660 bytes, may vary
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, Microsoft IIS, OS/2, UNIX, Windows 3.x
Wild:
Damage
Ports: source port udp/4000
W32.Witty.Worm performs the following actions:
Sends itself to remote machines from source port 4000/UDP pretending to be a valid ICQ packet.
Exploits the ICQ Parsing by ISS Products vulnerability to gain unauthorized remote execution access to a machine via a buffer overflow. When doing so, the worm overwrites system memory and runs in the same security context as the ISS product being exploited.
Sends itself to 20,000 randomly generated IP addresses with random destination ports and a source port of 4000/UDP.
Reads from a random physical disk and begins to overwrite itself in memory.
Returns to step 3 until the process eventually crashes after being overwritten with random data.
NOTE: Because the worm resides in memory only and is not written to disk, virus definitions do not detect this threat. Symantec Security Response recommends that you follow the steps described below to deal with this threat.
1. Obtain the patch for the vulnerability from http://blackice.iss.net/update_center/index.php
2. Disconnect the affected system from the network.
3. Reboot the system to remove the threat from memory.
4. Apply the patch.
5. Reconnect to the network.
Affected Versions:
RealSecure® Network 7.0, XPU 22.11 and before
RealSecure Server Sensor 7.0 XPU 22.11 and before
RealSecure Server Sensor 6.5 for Windows SR 3.10 and before
Proventia™ A Series XPU 22.11 and before
Proventia G Series XPU 22.11 and before
Proventia M Series XPU 1.9 and before
RealSecure Desktop 7.0 ebl and before
RealSecure Desktop 3.6 ecf and before
RealSecure Guard 3.6 ecf and before
RealSecure Sentry 3.6 ecf and before
BlackICE™ Agent for Server 3.6 ecf and before
BlackICE PC Protection 3.6 ccf and before
BlackICE Server Protection 3.6 ccf and before
heeft ons netwerk behoorlijk traag gemaakt in de US.
http://securityresponse.s.../data/w32.witty.worm.html
W32.Witty.Worm utilizes a Vulnerability in ICQ Parsing by ISS Products. The worm sends itself out to multiple IP addresses on source port 4000/UDP and a random destination port. The worm is a memory-only based threat and does not create files on the system.
NOTE: If your system is not running a vulnerable version of one of the products affected, then you will not be infected.
If you are running a product that has the vulnerability used by the worm, we recommend that you apply the relevant patch as soon as possible. Patches for this vulnerability are available at http://blackice.iss.net/update_center/index.php
Symantec Security Response recommends that administrators block inbound and outbound traffic to their networks on source port 4000/UDP. Please note that the destination port for traffic generated by the worm is selected randomly.
Type: Worm
Infection Length: 660 bytes, may vary
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, Microsoft IIS, OS/2, UNIX, Windows 3.x
Wild:
Damage
Ports: source port udp/4000
W32.Witty.Worm performs the following actions:
Sends itself to remote machines from source port 4000/UDP pretending to be a valid ICQ packet.
Exploits the ICQ Parsing by ISS Products vulnerability to gain unauthorized remote execution access to a machine via a buffer overflow. When doing so, the worm overwrites system memory and runs in the same security context as the ISS product being exploited.
Sends itself to 20,000 randomly generated IP addresses with random destination ports and a source port of 4000/UDP.
Reads from a random physical disk and begins to overwrite itself in memory.
Returns to step 3 until the process eventually crashes after being overwritten with random data.
NOTE: Because the worm resides in memory only and is not written to disk, virus definitions do not detect this threat. Symantec Security Response recommends that you follow the steps described below to deal with this threat.
1. Obtain the patch for the vulnerability from http://blackice.iss.net/update_center/index.php
2. Disconnect the affected system from the network.
3. Reboot the system to remove the threat from memory.
4. Apply the patch.
5. Reconnect to the network.
Affected Versions:
RealSecure® Network 7.0, XPU 22.11 and before
RealSecure Server Sensor 7.0 XPU 22.11 and before
RealSecure Server Sensor 6.5 for Windows SR 3.10 and before
Proventia™ A Series XPU 22.11 and before
Proventia G Series XPU 22.11 and before
Proventia M Series XPU 1.9 and before
RealSecure Desktop 7.0 ebl and before
RealSecure Desktop 3.6 ecf and before
RealSecure Guard 3.6 ecf and before
RealSecure Sentry 3.6 ecf and before
BlackICE™ Agent for Server 3.6 ecf and before
BlackICE PC Protection 3.6 ccf and before
BlackICE Server Protection 3.6 ccf and before
heeft ons netwerk behoorlijk traag gemaakt in de US.
.Quod me nutrit me destruit.
:strip_icc():strip_exif()/u/6838/crop5f5d0e19683d6_cropped.jpeg?f=community)
