TCPDUMP/PCAP signature for W32.Witty worm

Stephen Bernard sbernard at
Mon Mar 22 20:10:35 GMT 2004

I realize it's a bit late but, this is a libpcap/TCPDUMP style filter 
for finding hosts infected with the W32.Witty worm that affects ISS 
BlackICE and Realsecure IDS systems.

In particular, this looks for UDP packets with a source port of 4000 and 
a destination port > 1024 that contain the string "insert.witty" 
starting at byte 131 of the data portion of the datagram. I don't bother 
looking for the whole "" string because what 
I've got works with less processing. This example does not filter the 
source or destination network.

(udp) && (udp[0:2] == 0xfa0) && (udp[2:2] > 0x401) && (udp[131:4] == 
0x696e7365) && (udp[135:4] == 0x72742e77) && (udp[139:4] == 0x69747479)

Hope it helps.


Steve Bernard
Sr. Systems Engineer, NET
George Mason University

More information about the unisog mailing list