Type Internet worm
Date Discovered 2004.03.19
Place of Origin Europe
Source Language
Platform MS Windows
File Type(s) ICQ Packet
Infection Length 768-1,307 bytes
Reported Costs

Witty is a worm that exploited vulnerable BlackICE and RealSecure products (ironically, firewalls that are supposed to protect computers from threats such as crackers and worms) in 2004. It is similar to the CodeRed and Slammer worms in that it did not write any worm code to the hard drive, instead staying completely in memory.


Witty arrives on UDP source port 4000 posing as an ICQ packet. It exploits a buffer overflow vulnerability in the Protocol Analysis Module (PAM), a component of several firewall products (BlackICE and RealSecure) products from the Internet Security Systems that monitors application traffic.

The worm sends copies of itself to 20,000 random IP addresses. It then selects one of the first eight hard drives and overwrites 128 sectors (64 kilobytes) with data from memory. Anything on those sectors will be destroyed and beyond recovery. It repeats sending the copies of itself and then overwriting the sectors until the computer is rebooted or the worm overwrites something important that causes the computer to crash.


Witty's origin was traced to a European IP address. The first target was a US military base. The worm may have been an attack specifically targeting the US military. It was seeded with a botnet of about 100 machines. The time of its release was significant, as most exploit-based worms are released months after the vulnerability they exploit was known of. The PAM exploit was known of by March 8, while the worm was released only 11 days later.


Since the vulnerability was in products BlackICE and RealSecure by ISS, which does not have wide overseas connections, Witty did most of its damage in the US, although other countries were affected. In addition, the product it exploited was not as popular as the products that allowed worms like Slammer and CodeRed to spread. The number of vulnerable computers for Witty was around 12,000, while around 100,000 was the number of machines Slammer actually infected. However, it did infect just about every single machine it could.

After only a few days after its release, Witty disappeared. This worm was never the subject of any headlines outside of the technology-related press. It went mostly unnoticed, as it could only target a small number of users.

However, security researchers believed the worm was significant in one respect. It was a worm that was able to infect nearly all potential hosts, while carrying a destructive payload. Previously the rule had been that more destructive payloads mean less ability to spread, since a worm or virus cannot propagate from a dead host. This worm for the most part solves that problem by gradually eating away at the host, while spreading itself.


Colleen Shannon, David Moore. CAIDA, The Spread of the Witty Worm.

Eric Chien. Symantec, W32.Witty.Worm. 2004.03.20

Bruce Schneier, Computer World, The Witty worm: A new chapter in malware. 2004.06.12

IBM Internet Security Systems, BlackICE Witty Worm Propagation.

Abhishek Kumar, Vern Paxson, Nicholas Weaver, Exploiting Underlying Structure for Detailed Reconstruction of an Internet-scale Event.

Robert Lemos. The Register, Security Focus, Witty worm traced to 'Patient Zero'. 2005.05.25

Kelly Martin. SecurityFocus, Witty Extinction.

Robert McMillan. IDG News Service, A search is launched for Conficker's first victim. 2009.03.20

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License