The worm, which appeared overnight Friday, exploits a weakness in the widely-used Black Ice security products, and is not detected by antivirus software, as it resides in memory. When an infected system is rebooted, Witty deletes a randomly chosen section of the hard drive, rendering some machines unusable.
The Internet Storm Center raised its incident alert level to yellow, and advised that vulnerable systems be taken off the network. "Disconnect systems running BlackIce as soon as possible," said the advisory at the ISC, run by the SANS Institute. Symantec also advised that network admins disconnect machines running Black Ice.
Infected hosts will send large amounts of UDP traffic, typically saturating a local network connection, according to SANS. The traffic originates from port 4000, with earlier reports of alternate source ports now being discounted.
The worm only affects systems running Black Ice, an intrusion detection product from Internet Security Sytems. It exploits a vulnerability in ICQ instant messaging protocol parsing, detailed in an advisory from ISS on Thursday. Once Witty is active, the user will no longer be able to close Black Ice, instead receiving a message reading "Operation could not be completed. Access is denied".
"The size of the worm (909 bytes) suggests that it has been hand-written in assembly programming language," notes F-Secure. The malware's name alludes to a string in the program reading "insert witty message here."