I-Worm.Fizzer
This is an Internet worm that spreads via e-mail messages and KaZaa
shared directories. It also contains "backdoor" remote access features.
Installation
When the worm is launched, it creates the following files in the Windows directory:
iservc.exe (copy of the worm) initbak.dat (copy of the worm) ProgOp.exe (worm's component) iservc.dll (keylogger library used by the worm) iservc.klg (contains logged keystroke data)
The worm also writes a registry key to start automatically when Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run SystemInit=(Windows directory path)\iservc.exe
Under Windows NT/2000/XP the worm is able to create a system service, but this ability is disabled by its author.
It also registers as a default handler for files with ".TXT" extension,
so it gets executed when such a file is opened.
Replication: KaZaa
The worm copies itself to the KaZaa download directory with random filenames.
Replication: E-mail
The worm uses its own SMTP engine to send its copies. The destination
e-mail addresses are randomly generated or extracted from the Outlook and
Windows address books.
Infected messages have various selected subjects, bodies, and attachment
names. They are generated from several large string lists. For example:
Subject: Re: ;( Attachment: desktop.exe Body: you must not show this to anyone... Subject: Re: I think you might find this amusing... Attachment: Logan6.exe Body: Let me know what you think of this... Subject: Fwd: why? Attachment: Taylor83.com Body: Today is a good day to die...
Backdoor routine: IRC
The worm contains a list of IRC channels it tries to connect to and to receive remote access commands from an attacker.
Backdoor routine: Other
The worm starts HTTP and telnet-like servers and binds them to pre-configured ports to provide remote access to the computer.
Other
The worm captures all keystrokes and writes them to the file named "iservc.klg" in the Windows directory. It also tries to download and install its updated version from a geocities user page. The worm tries to terminate processes that contain the following strings in their name:
ANTIV AVP F-PROT NAV NMAIN SCAN TASKM VIRUS VSHW VSS
Most options, like registry key names, IRC and SMTP server names,
port numbers and action sequences are pre-configured in a special data
file that is encrypted and stored in the worm EXE file's resources.
We thank you ALL for your kind votes which made this site FIRST in two categories.
A 10 vote = Very Good
A 1 vote = Waste of cyber Space !
ALL those sending emails of thanks are kindly requested to indicate whether these are for publication.
IMPORTANT NOTICE:
ALL those who are receiving this advise
and in the "name" field they find 'FAILED' and a 6 or 8 digit figure
after it, should be advised that at least once, emails to that address
have been received back by us. As the list of subscribers now exceeds 100,000, and since this
is a free service, we kindly urge you to become a registered
subscriber to this service and ensure delivery by subscribing under
a reliable email address. WE REGRET THAT AS AFTER THIS ISSUE,
ALL ADDRESSES THAT ARE NOT DELIVERABLE WILL BE REMOVED FROM THE LIST.
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty
of any kind. In no event shall we be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits
or special damages.
PLEASE ADVISE ALL YOUR FRIENDS ON YOUR LIST
PLEASE ALSO NOTE THE FOLLOWING:
1) You are currently SUBSCRIBED to our mailing list
2) If you are receiving more than one copy of this warning please click here
3) If you DO NOT wish to receive anymore of these alerts, please click here
4) YOUR friends are also welcome to be on the VIRUS ALERT but an email has to be
sent to the Webmaster by themselves so that a record of all requests can be kept in case
somebody cries "SPAM" ! Simply click here
and send the email as it appears.
5) THIS IS A FREE SERVICE RUN IN THE PUBLIC INTEREST BY
6) ALSO PLEASE BE ADVISED THAT YOUR EMAIL WILL
NEVER BE SOLD, EXCHANGED OR IN ANYWAY WHATSOEVER DISCLOSED TO ANYBODY ELSE.
******
Fabian Brincat
Webmaster
Fabian Enterprises Ltd.
SEE PREVIOUS VIRUS ALERT
RETURN TO VIRUS ALERT MAIN INDEX
©ALL MATERIAL IS PROTECTED BY COPYRIGHT LAWS AND MAY NOT BE REPRODUCED IN ANY FORM WHATSOEVER WITHOUT THE PRIOR WRITTEN CONSENT OF THE WEBMASTER.
120503/100904
