high
Summary
Summary
Action- More Information
| Protection available since | 28 September 2003 09:46:40 (GMT) |
|---|---|
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please read the instructions for removing W32/Fizzer-A.
More Information
W32/Fizzer-A is a worm with IRC backdoor Trojan functionality.
The worm spreads by file sharing on KaZaA shared networks and by emailing itself to contacts in the Microsoft Outlook and Windows address books and also to random email addresses at the following domains:
msn.com
hotmail.com
yahoo.com
aol.com
earthlink.net
gte.net
juno.com
netzero.com
The email subject line, message text and attachment name are randomly constructed using long lists of strings.
The worm may spoof the From: field of emails, replacing the sender's address
with a randomly chosen name.
Example message text strings are:
"So how are you?"
"Check it out"
"There is only one good, knowledge, and on evil, ignorance"
"I sent this program (sparky) from anonymous places on the net"
"you must not show this to anyone"
"Today is a good day to die"
"thought I'd let you know"
"The way to gain a good reputation is to endeavor to be what you desire ..."
"Filth is a death"
"wie geht es Ihnen?"
"Philosophy imputes, reinterprets faith"
"If you don't like it, just delete it"
"delete this as soon as you lokk at it"
"Did you ever stop to think that viruses are good for the economy? ..."
"the incredibly bright faith"
"you don't have to if you don't want to"
"I wonder what can be so bad ..."
"Watchin' the game, having a bud."
"the attachment is only for you to look at"
"Let me know what you think of this..."
Attachments names have an extension of EXE, COM, PIF or SCR and may be combined with INI to give a double extension of INI.EXE, INI.COM, INI.PIF or INI.SCR.
When run W32/Fizzer-A drops the following files to the Windows folder:
initbak.dat
iservc.dll
iservc.exe
ProgOp.exe
and creates the registry entries
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemInit
= %WINDOWS%\iservc.exe
HKCR\txtfile\shell\open\command
= %WINDOWS%\ProgOp.exe 0 7 '
so that iservc.exe is run automatically each time the computer is restarted and ProgOp.exe is run whenever a file with an extension of TXT is opened. ProgOp.exe launches iservc.exe and then the default text editor.
The following files may also be created in the Windows folder:
Uninstall.pky
iservc.klg
data1-2.cab
upd.bin
iservc.exe connects to a remote IRC server, joins a specific channel and then runs continuously in the background listening for commands being sent to the channel.
A remote intruder will then be able to gain access and control over the computer using a regular IRC client.
The remote intruder will be able to carry out a variety of actions, including a Denial-of-Service flooder attack.
iservc.dll is a keylogger component which may be used to log user keystrokes to the log file iservc.klg.
W32/Fizzer-A provides similar access and control via AOL Instant Messenger channels by logging onto a remote AOL chat server using a random username.
The worm attempts to spread via file sharing on P2P networks by copying itself to the KaZaA shared folder.
W32/Fizzer-A attempts to terminate processes whose names contain any of the following strings:
NAV
SCAN
AVP
TASKM
VIRUS
F-PROT
VSHW
ANTIV
VSS
NMAIN
|
