Worth noting that:
1. This corrupts the hard drive of the infected computer, usually meaning total data loss.
2. That AV products may not warn of it because it isn't written to disk.
3. The ISC recommendation that systems running BlackIce be removed from the Internet until the patch is installed.
4. That a patch to prevent this has been available for over a week.
Witty Worm Remediation Information:
This information applies to customers currently using an impacted ISS product as detailed in X-Force Alert Article 167, which is referenced above. Consult this article for determining if a system is currently infected.
For systems that are NOT infected with the Witty worm:
- Update your ISS software to the latest version. The latest version of every ISS product is not impacted by the Witty worm.
For systems that are infected with the Witty worm:
- Power off the infected machine immemdiately.
- Since the worm overwrites random sectors of the hard drive as it executes within memory, customers should recover any available hard drive data using a noncompromised operating system.
- Customers should reload a working system image from backup using normal restore procedures. If reinstalling the ISS software is necessary, customers should update to the latest version.
Further questions should be directed to ISS Technical Support.
ISS network customers have been protected from this potential threat for more than a week prior to the release of the worm, removing any threat before impact. The fix was delivered as a maintenance update before eEye publicly disclosed the vulnerability. Before any worm could be developed 'in the wild', ISS customers were protected automatically via a simple update that shielded the vulnerability from attack.