Content

W32/Fizzer@MM

Type
Virus
SubType
E-mail
Discovery Date
05/08/2003
Length
Varies
Minimum DAT
4263 (05/12/2003)
Updated DAT
4263 (05/12/2003)
Minimum Engine
5.1.00
Description Added
05/08/2003
Description Modified
05/16/2003 10:06 AM (PT)
Risk Assessment
Corporate User
Medium
Home User
Medium

Tab Navigation

Characteristics

-- Update May 14, 2003 --
The risk assessment was lowered to Medium due to a decline in prevalence over the past 24 hours.

The minimum engine for detection of this threat is the 4.1.60 engine, however to remove it the 4.2.40 engine is required. AVERT recommend ALL users (Enterprise and Consumer) update to the 4.2.40 engine immediately to stay protected from this threat.

This mass-mailing worm has many components and an internal timer to trigger different processes at different times. These include:

  1. Gathering addresses from different places on the victim machine, for use in its mass-mailing routine
    • Outlook Contacts list
    • Windows Address Book (WAB)
    • Addresses found on the local system
    • Randomly manufactured addresses
  2. IRC bot (Internet Relay Chat)
  3. AIM bot (AOL Instant Messenger)
  4. Keylogger
  5. KaZaa worm
  6. HTTP server
  7. Remote access server
  8. Self-updating mechanism
  9. Anti-virus software termination
The worm contains its own SMTP engine and uses the default SMTP server as specified in the Internet Account Manager registry settings. It can also use any one of several hundred different external SMTP servers.

The worm arrives as an email attachment in various messages. The from address can be forged (or spoofed) from addresses on the victim machine, such that the apparent sender is not the actual sender. Message body and subject lines vary, as do attachment names. Attachments use standard executable extensions (.com, .exe, .pif, .scr). Such as:

    Subject: why?
    Body: The peace
    Attachment: desktop.scr
    Subject: Re: You might not appreciate this...
    Body: lautlach
    Attachment: service.scr
    Subject: Re: how are you?
    Body: I sent this program (Sparky) from anonymous places on the net
    Attachment: Jesse20.exe
    Subject: Fwd: Mariss995
    Body: There is only one good, knowledge, and one evil, ignorance.
    Attachment: Mariss995.exe
    Subject: Re: The way I feel - Remy Shand
    Body: Nein
    Attachment: Jordan6.pif
When the attachment is run, the worm first looks for a UNINSTALL.PKY file in WINDOWS folder. If this file exists, it terminates and does not infected the machine. Othervise it extracts several files to the WINDOWS (%WinDir%) directory.
  • initbak.dat - A copy of the worm
  • iservc.exe - A copy of the worm
  • ProgOp.exe (15,360 bytes) - Process handling
  • iservc.dll (7,680 bytes) - Handles timing and windows hooking/keylogging
The worm creates a registry run key to load itself at system startup:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "SystemInit" = C:\WINDOWS\ISERVC.EXE
It also modifies the handling of files with a .TXT extension, such that accessing a .TXT file results in the worm being run:
  • HKEY_CLASSES_ROOT\txtfile\shell\open\command
    "(Default)" = C:\WINDOWS\ProgOp.exe 0 7 'C:\WINDOWS\NOTEPAD.EXE %1'
    'C:\WINDOWS\initbak.dat' 'C:\WINDOWS\ISERVC.EXE'
It creates a new CLASSES ROOT key with a similar association:
  • HKEY_CLASSES_ROOT\Applications\ProgOp.exe
On WinNT/2K/XP systems the worm creates a service named S1TRACE.

Mailing routine
After several minutes, the worm uses its own SMTP engine to send itself to all addresses on the Outlook Contacts List. It also sends itself to random addresses. Such as:

    Part 1
  • Random name (from internal list)
    Part 2
  • Random number (optional)
    Part 3
  • @Random domain (from internal list)
    • aol.com
    • earthlink.com
    • gte.net
    • hotmail.com
    • juno.com
    • msn.com
    • netzero.com
    • yahoo.com
The subject and message body are constructed from a large list of English and German words and phrases carried within the virus body. The attachment name is also constructed from a list of names followed by a number followed by .com, .exe, .pif, or .scr. Additionally filenames may be chosen by copying the name of a valid file on the infected senders machine (ie.desktop.ini -> desktop.scr).

IRC Bot
The worm pings many different IRC servers. When it receives a reply, it connects to a channel on that server using many different internal usernames, and waits for further instructions from an attacker. The list of IRC servers includes:

  • irc2p2pchat.net
  • irc.idigital-web.com
  • irc.cyberchat.org
  • irc.othernet.org
  • irc.beyondirc.net
  • irc.chatx.net
  • irc.cyberarmy.com
  • irc.gameslink.net
AOL Bot
The worm connects to an AIM site to register a new, randomly named, user (in a similar fashion to the AIM-Canbot trojan). It then connects to an AIM chat server on port 5190, joins a chat session, and listens for further instructions.

Self-updating
The worm connects to a geocities user page to download updates. However, at the time of this writing that user site did not exist.

Keylogger
The worm captures typed keystrokes and stores them in a encrypted file named iservc.klg within the Windows directory.

KaZaa worm
The worm retrieves the default download directory for KaZaa from the registry and copies itself to that location using random filenames.

HTTP server
The worm runs an HTTP server on port 81. The webserver acts as a command-console, displaying information about the infected system (System time, connection information, OS version, IRC and AIM information). It also allows an attacker to kick-off certain functions, such as a Denial of Service attack, mail propagation, AOL/IRC bot commands, and anti-virus software termination).

Remote access server
The worm creates a remote access server by listening on ports 2018, 2019, 2020, and 2021.

Anti-virus software termination
The worm attempts to terminate processes that contain the following phrases in their names:

  • ANTIV
  • AVP
  • F-PROT
  • NMAIN
  • SCAN
  • TASKM
  • VIRUS
  • VSHW
  • VSS

Symptoms

- Unexpected traffic on port 6667 (IRC) or 5190 (AIM)
- Presence of the aforementioned filenames and registry keys

Method of Infection

This worm spreads via KaZaa and email, mass-mailing itself to many addresses and sometimes forging the sender address. It is received as an executable attachment and requires users to "double-click" on the virus in order to get infected.

The worm stores various compressed information in its resource section. This information can vary from sample to sample resulting in different lengths of infected files.

The virus injects its ISERVC.DLL file into each process that is run after infection occurs. Prior to the deletion of this DLL, it must be unloaded. The 4.2.40 engine is required for repair of this threat.

If a file called UNINSTALL.PKY exists in %WINDIR%, the worm does not infected the machine. The content of this file does not matter.

Removal

All Users:
Use specified engine and DAT files for detection. The 4.2.40 engine is required for removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Stinger has been updated to detect and remove W32/Fizzer@MM. However, the service created by the virus will appear in the Services Control Panel until the next reboot.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

  1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode)
  2. Delete the following files from your WINDOWS directory (typically c:\windows or c:\winnt)
    • initbak.dat
    • iservc.exe
    • ProgOp.exe
    • iservc.dll
  3. Edit the registry
    • Under the key: "HKEY_CLASSES_ROOT\txtfile\shell\open\command"
      Set the value to "NOTEPAD.EXE %1"
    • Delete the "SystemInit" value from "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
    • Delete the key "HKEY_CLASSES_ROOT\Applications\ProgOp.exe"
    • Delete the key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\S1TRACE"
  4. Reboot the system

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • Fizzer (F-Secure)
  • W32.HLLW.Fizzer@mm (Symantec)
  • W32/Fizzer (Panda)
  • W32/Fizzer-A (Sophos)
  • W32/Fizzer.gen@MM
  • Worm/Fizzu.A (Central Command)
  • WORM_FIZZER.A (Trend)

Characteristics

Characteristics -

-- Update May 14, 2003 --
The risk assessment was lowered to Medium due to a decline in prevalence over the past 24 hours.

The minimum engine for detection of this threat is the 4.1.60 engine, however to remove it the 4.2.40 engine is required. AVERT recommend ALL users (Enterprise and Consumer) update to the 4.2.40 engine immediately to stay protected from this threat.

This mass-mailing worm has many components and an internal timer to trigger different processes at different times. These include:

  1. Gathering addresses from different places on the victim machine, for use in its mass-mailing routine
    • Outlook Contacts list
    • Windows Address Book (WAB)
    • Addresses found on the local system
    • Randomly manufactured addresses
  2. IRC bot (Internet Relay Chat)
  3. AIM bot (AOL Instant Messenger)
  4. Keylogger
  5. KaZaa worm
  6. HTTP server
  7. Remote access server
  8. Self-updating mechanism
  9. Anti-virus software termination
The worm contains its own SMTP engine and uses the default SMTP server as specified in the Internet Account Manager registry settings. It can also use any one of several hundred different external SMTP servers.

The worm arrives as an email attachment in various messages. The from address can be forged (or spoofed) from addresses on the victim machine, such that the apparent sender is not the actual sender. Message body and subject lines vary, as do attachment names. Attachments use standard executable extensions (.com, .exe, .pif, .scr). Such as:

    Subject: why?
    Body: The peace
    Attachment: desktop.scr
    Subject: Re: You might not appreciate this...
    Body: lautlach
    Attachment: service.scr
    Subject: Re: how are you?
    Body: I sent this program (Sparky) from anonymous places on the net
    Attachment: Jesse20.exe
    Subject: Fwd: Mariss995
    Body: There is only one good, knowledge, and one evil, ignorance.
    Attachment: Mariss995.exe
    Subject: Re: The way I feel - Remy Shand
    Body: Nein
    Attachment: Jordan6.pif
When the attachment is run, the worm first looks for a UNINSTALL.PKY file in WINDOWS folder. If this file exists, it terminates and does not infected the machine. Othervise it extracts several files to the WINDOWS (%WinDir%) directory.
  • initbak.dat - A copy of the worm
  • iservc.exe - A copy of the worm
  • ProgOp.exe (15,360 bytes) - Process handling
  • iservc.dll (7,680 bytes) - Handles timing and windows hooking/keylogging
The worm creates a registry run key to load itself at system startup:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "SystemInit" = C:\WINDOWS\ISERVC.EXE
It also modifies the handling of files with a .TXT extension, such that accessing a .TXT file results in the worm being run:
  • HKEY_CLASSES_ROOT\txtfile\shell\open\command
    "(Default)" = C:\WINDOWS\ProgOp.exe 0 7 'C:\WINDOWS\NOTEPAD.EXE %1'
    'C:\WINDOWS\initbak.dat' 'C:\WINDOWS\ISERVC.EXE'
It creates a new CLASSES ROOT key with a similar association:
  • HKEY_CLASSES_ROOT\Applications\ProgOp.exe
On WinNT/2K/XP systems the worm creates a service named S1TRACE.

Mailing routine
After several minutes, the worm uses its own SMTP engine to send itself to all addresses on the Outlook Contacts List. It also sends itself to random addresses. Such as:

    Part 1
  • Random name (from internal list)
    Part 2
  • Random number (optional)
    Part 3
  • @Random domain (from internal list)
    • aol.com
    • earthlink.com
    • gte.net
    • hotmail.com
    • juno.com
    • msn.com
    • netzero.com
    • yahoo.com
The subject and message body are constructed from a large list of English and German words and phrases carried within the virus body. The attachment name is also constructed from a list of names followed by a number followed by .com, .exe, .pif, or .scr. Additionally filenames may be chosen by copying the name of a valid file on the infected senders machine (ie.desktop.ini -> desktop.scr).

IRC Bot
The worm pings many different IRC servers. When it receives a reply, it connects to a channel on that server using many different internal usernames, and waits for further instructions from an attacker. The list of IRC servers includes:

  • irc2p2pchat.net
  • irc.idigital-web.com
  • irc.cyberchat.org
  • irc.othernet.org
  • irc.beyondirc.net
  • irc.chatx.net
  • irc.cyberarmy.com
  • irc.gameslink.net
AOL Bot
The worm connects to an AIM site to register a new, randomly named, user (in a similar fashion to the AIM-Canbot trojan). It then connects to an AIM chat server on port 5190, joins a chat session, and listens for further instructions.

Self-updating
The worm connects to a geocities user page to download updates. However, at the time of this writing that user site did not exist.

Keylogger
The worm captures typed keystrokes and stores them in a encrypted file named iservc.klg within the Windows directory.

KaZaa worm
The worm retrieves the default download directory for KaZaa from the registry and copies itself to that location using random filenames.

HTTP server
The worm runs an HTTP server on port 81. The webserver acts as a command-console, displaying information about the infected system (System time, connection information, OS version, IRC and AIM information). It also allows an attacker to kick-off certain functions, such as a Denial of Service attack, mail propagation, AOL/IRC bot commands, and anti-virus software termination).

Remote access server
The worm creates a remote access server by listening on ports 2018, 2019, 2020, and 2021.

Anti-virus software termination
The worm attempts to terminate processes that contain the following phrases in their names:

  • ANTIV
  • AVP
  • F-PROT
  • NMAIN
  • SCAN
  • TASKM
  • VIRUS
  • VSHW
  • VSS

Symptoms

Symptoms -

- Unexpected traffic on port 6667 (IRC) or 5190 (AIM)
- Presence of the aforementioned filenames and registry keys

Method of Infection

Method of Infection -

This worm spreads via KaZaa and email, mass-mailing itself to many addresses and sometimes forging the sender address. It is received as an executable attachment and requires users to "double-click" on the virus in order to get infected.

The worm stores various compressed information in its resource section. This information can vary from sample to sample resulting in different lengths of infected files.

The virus injects its ISERVC.DLL file into each process that is run after infection occurs. Prior to the deletion of this DLL, it must be unloaded. The 4.2.40 engine is required for repair of this threat.

If a file called UNINSTALL.PKY exists in %WINDIR%, the worm does not infected the machine. The content of this file does not matter.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection. The 4.2.40 engine is required for removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Stinger has been updated to detect and remove W32/Fizzer@MM. However, the service created by the virus will appear in the Services Control Panel until the next reboot.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

  1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode)
  2. Delete the following files from your WINDOWS directory (typically c:\windows or c:\winnt)
    • initbak.dat
    • iservc.exe
    • ProgOp.exe
    • iservc.dll
  3. Edit the registry
    • Under the key: "HKEY_CLASSES_ROOT\txtfile\shell\open\command"
      Set the value to "NOTEPAD.EXE %1"
    • Delete the "SystemInit" value from "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
    • Delete the key "HKEY_CLASSES_ROOT\Applications\ProgOp.exe"
    • Delete the key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\S1TRACE"
  4. Reboot the system

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A