> It appears that Witty is quite good at trying to infect, but not > very good at actually infecting targeted computers. Doug Nelson > identified about 20 computers at MSU that show signs of infection. > Doug estimates that those computers probably hit every IP at MSU > at least once. > > Help desk staff are contacting the owners. (Those users who > do find their computers infected may find that they are not > bootable, since Witty trashes some sectors on the hard drive.) > > Witty traffic originates from a source port of UDP 9000. Such > traffic coming into MSU on that port is now being blocked. > This may affect some ICQ users. > > Nonetheless, anyone running Black Ice who has not upgraded > should unplug their network connection or turn off their computer > until they are ready to upgrade. A couple corrections. First, it's a source port of 4000, not 9000. Second, I don't know whether the locally-infected computers scanned other computers at MSU, and if so, at what rate. What I did note is that many external computers were scanning MSU's IP range, and on average any given IP address at MSU was likely to have been targeted every few hours since sometime on Saturday, and before we blocked port 4000 at 9:30 am today. Doug Doug Nelson, Network Manager | [log in to unmask] Academic Computing and Network Services | Ph: (517) 353-2980 Michigan State University | http://www.msu.edu/~nelson/