UDP port 4000 traffic: likely a new worm

Looks like there may be a worm going around hitting systems that run
BlackIce. Common characteristics of the packets: Source port 4000 (but
random target port) and the string
"insert witty message here".

details will be posted here:
as I get them together.

Confirmed. We had our first customer (colo) hit yesterday evening at
20:43 PST. Additionally, they experienced the hard drive corruption (which
was added to the ISC diary entry within the last several hours). Traffic
was 4000/udp. Initial 90 Mbit/s peak which leveled out at a constant
60 Mbit/s before we took them off-line.


* Johannes B. Ullrich <jullrich@sans.org> [20040320 00:44]:

The good news is that "witty" appears to not be a very witty propagator.
Our flow data shows attempts to connect to 4000/udp on hosts in our
network having a downward trend over the last few hours:

Time Unique Source IPs
08:00 350
09:00 332
10:00 297
11:00 298
12:00 265

(all times PST)


* Josh Richards <jrichard@digitalwest.net> [20040320 11:10]:

Has anyone figured out the collateral damage if 4000/udp were to be
blocked for a couple of days? Since the exploit is in the ICQ code of
ISS's products, does blocking 4000/udp block ICQ as well?


The number of immediately vulnerable hosts was rapidly depleted by the
worm, given the launch was AFTER most business had shut down for the
weekend. I'll venture that Black Ice, a commercial security product, is
deployed much more widely on the corporate laptop than the home machine.

I expect to see more than a slight bump in those numbers come Monday AM.


I can acknowledge that we see the worm also in Europe/Austria. Today we
had a customer with a Black Ice firewall flooding us with random
4000/udp traffic before we shut him down.

Kind Regards,