May 12, 2003
A very clever mass-mailing worm is spreading rapidly across the Internet.
By Robert Vamosi
Fizzer (w32.fizzer@mm) has many different components, each timed to trigger different processes, making it quite difficult to contain.
The worm spreads via e-mail and includes its own SMTP engine to bypass any security your e-mail client may have. Fizzer also spreads via Kazaa, a popular file-sharing application.
The worm is self-updating, connecting to a GeoCities account for the latest update, and it also establishes its own accounts on Internet Relay Chat (IRC) and AOL Instant Messenger, in order to await further instructions from the virus author.
Fizzer attempts to disable any antivirus program running at the time of infection. Systems infected with Fizzer could be used in distributed denial-of-service (DDoS) attacks on other computers.
Fizzer includes a keystroke-logging Trojan horse, which can be used to steal passwords words and credit card information.
Because Fizzer spreads via e-mail and Kazaa, contains a keystroke-logging Trojan horse, and could be used in a DDoS attack, this worm rates a 7 on the ZDNet Virus Meter.
How it works
Fizzer arrives as e-mail with several possible subject lines and body texts. The From: address can be forged and therefore should not be trusted. Fizzer's attached files contain one of the following extensions: .com, .exe, .pif and .scr.
If a user opens the attached file or otherwise activates the worm, three files are added to the Windows directory:
initbak.dat, which is a copy of the worm
iservc.exe, which is a copy of the worm
iservc.dll, which contains the keystroke logging Trojan
According to McAfee, Fizzer modifies the system Registry in the following ways:
Hkey_local_machine\Software\Microsoft\Windows\CurrentVersion\ Run "SystemInit" = C:\Windows\iservc.exe
Hkey_classes_root\txtfile\shell\open\command "(Default)" = C:\Windows\progop.exe 0 7 'C:\Windows\Notepad.exe %1' 'C:\Windows\initbak.dat' 'C:\Windows\iservc.exe'
On Windows NT, 2000, and XP systems, Fizzer also creates a service named S1Trace.
This worm listens for external Internet traffic in various ways.
Signs of infection include unexpected traffic on port 6667 (IRC) and 5190 (AIM).
Most antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, F-Secure, McAfee, MessageLabs, Sophos, Symantec, or Trend Micro.
Back to the Top