Infected hosts will send large amounts of UDP traffic, typically saturating a local network connection, according to SANS. The traffic originates from port 4000, with earlier reports of alternate source ports now being discounted.
The worm only affects systems running Black Ice, an intrusion detection product from Internet Security Sytems. It exploits a vulnerability in ICQ instant messaging protocol parsing, detailed in an advisory from ISS on Thursday. Once Witty is active, the user will no longer be able to close Black Ice, instead receiving a message reading “Operation could not be completed. Access is denied”.
“The size of the worm (909 bytes) suggests that it has been hand-written in assembly programming language,” notes F-Secure. The malware’s name alludes to a string in the program reading “insert witty message here.”