Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
Malware Description Search

 

  Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / Email Worms

Email-Worm.Win32.Fizzer

Aliases
Email-Worm.Win32.Fizzer (Kaspersky Lab) is also known as: I-Worm.Fizzer (Kaspersky Lab), W32/Fizzer.gen@MM (McAfee),   W32.HLLW.Fizzer@mm (Symantec),   Win32.HLLM.Fizzer (Doctor Web),   W32/Fizzer-A (Sophos),   Win32/Fizzer.A (RAV),   WORM_FIZZER.A (Trend Micro),   Worm/Fizzu.A.2.E (H+BEDV),   W32/Fizzer.A@mm (FRISK),   I-Worm/Fizzer.A (Grisoft),   Win32.Fizzer.A@mm (SOFTWIN),   Worm.Fizzer.A (ClamAV),   W32/Fizzer (Panda),   Win32/Fizzer.A (Eset)
Description added May 14 2003
Behavior Email Worm
Technical details

Fizzer is an Internet worm that spreads via e-mail messages and KaZaa shared directories. It also contains "backdoor" remote access features.

Installation
When the worm is launched, it creates the following files in the Windows directory:
iservc.exe (copy of the worm) initbak.dat (copy of the worm) ProgOp.exe (worm's component) iservc.dll (keylogger library used by the worm) iservc.klg (contains logged keystroke data)

The worm also writes a registry key to start itself automatically when Windows starts:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run SystemInit=(Windows directory path)\iservc.exe

Under Windows NT/2000/XP the worm is able to create a system service, but this ability is disabled by its author.

It also registers as a default handler for files with the ".TXT" extension - resulting in the worm being executed when such files are opened.

Replication: KaZaa
The worm copies itself to the KaZaa download directory with random filenames.

Replication: E-mail
The worm uses its own SMTP engine to send out its copies. The destination e-mail addresses are randomly generated or extracted from the Outlook and Windows address books.

Infected messages have various selected subjects, bodies, and attachment names. They are generated from several large string lists. For example:

Subject: Re: ;( Attachment: desktop.exe Body: you must not show this to anyone... Subject: Re: I think you might find this amusing... Attachment: Logan6.exe Body: Let me know what you think of this... Subject: Fwd: why? Attachment: Taylor83.com Body: Today is a good day to die...

Backdoor routine: IRC
The worm contains a list of IRC channels it tries to connect to in order receive remote access commands from an attacker.

Backdoor routine: Other
The worm starts HTTP and telnet-like servers and binds them to pre-configured ports to provide remote access to the computer.

Other
The worm captures all keystrokes and writes them to the file named "iservc.klg" in the Windows directory. It also tries to download and install its updated version from a geocities user page. The worm tries to terminate processes that contain the following strings in their names:
ANTIV AVP F-PROT NAV NMAIN SCAN TASKM VIRUS VSHW VSS

Most options, like registry key names, IRC and SMTP server names, port numbers and action sequences are pre-configured in a special data file that is encrypted and stored in the worm EXE file's resources.

 

Copyright © 1996 - 2009
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com