Has anyone done a dissassembly of the "Witty" worm yet? http://isc.incidents.org/diary.html?date=2004-03-20 http://securityresponse.symantec.com/avcenter/venc/data/w32.witty.worm.html using the http://seclists.org/lists/bugtraq/2004/Mar/0181.html recent bug in BlackICE/RealSecure? We are seeing a lot of activity from this worm, although even a small infection would generate a LOT of traffic (a side-effect of bandwidth-limited worms, such as single-packet UDP worms). Thanks. -- Nicholas C. Weaver nweaver@cs.berkeley.edu
