There is a new worm that exploits a flaw in Black Ice. The worm
destroys data on infected computers. Symantec calls the worm Witty.
The worm attacks via UDP. There seems to be a little confusion
among the reports as to what ports are used. The vendor, ISS, says
the source port is 4000 and the destination port is random.
It is memory resident and most antivirus products won't catch it.
Here's Symantec's report:
The vendor, has released a software update. The vendor says "The worm
is very serious in nature, with potential destructive properties."
A detailed ISS alert is at:
Also, if you go to this page:
Click on Knowedgebase and you'll see recent articles about the
exploit and the Witty worm.
Some reports suggest unplugging the network connection for any
computer that runs Black Ice until it can be ugpraded. Anyone
running Black Ice on Windows desktops or servers will want to take
We've posted a Bulletin at help.msu.edu/status which we'll update
as we learn more.