Summary of W32/Fizzer.A@mm
|Alias:||Win32.Fizzer, W32/Fizzer-A , WORM_FIZZER.A , Fizzer, I-Worm.Fizzer|
||8 May 2003
||12 May 2003
|Infection Method:||Infected e-mail attachments and through a file-sharing network
|Fizzer is a complex e-mail worm that appeared on the 8th of May, 2003. The worm can spread itself in e-mails and in Kazaa P2P (peer-to-peer) file sharing network. Fizzer worm has a built-in IRC backdoor, a DoS (Denial of Service) attack tool, a data stealing trojan (uses external keylogger DLL), an HTTP server and some more components. The worm has the functionality to kill tasks of certain anti-virus programs. Additionally the worm has autoupdating capabilities.
Fizzer worm spreads in e-mails as an attachment with .EXE, .PIF, .SCR and .COM extensions. Attachment names, subjects and bodies are randomly selected by the worm from its internal lists. E-mail addresses are collected by the worm from Windows and Outlook Address Books on an infected computer and also from different files on a hard disk.
|The worm spreads its dropper as an e-mail attachment. When a user activates a dropper, it creates a file called ISERVC.EXE in a temporary folder and activates it. The ISERVC.EXE file is the main worm's component. It copies itself to Windows directory with the following names:
Then it drops 2 more files in to Windows directory:
The ISERVC.DLL file is a keylogging component and the PROGOP.EXE file is a pure dropper code. Before sending itself out, the worm re-assembles its file using this dropper.
The ISERVC.EXE file contains the 'Sparky will reign' string in its header.
It should be noted that the worm uses its resource section to store its own text strings and additional files that it drops. This method is very rarely used by malicious programs.
The worm creates a startup key for its main component in System Registry:
"SystemInit" = "%windir%\iservc.exe]
where %windir% is Windows directory. As a result the worm's main file is activated during each Windows session.
Additionally the worm modifies the text file startup string:
@ = "%windir%\ProgOp.exe 0 7 '%windir%\NOTEPAD.EXE %1'
where %windir% is Windows directory.
The worm's main file has 5 resources in its body. All resources except the first one are encrypted and compressed. The first resource is only compressed. The structure of resources is the following:
- e-mail address list -
The behaviour script contains major settings for the worm for example its installation name and folder. This script also controls the worm's behaviour in certain conditions, for example when the date changes, the worm logs out from IRC, waits for some time and then logs back in.
- progop.exe file -
- iservc.dll file -
- behaviour script -
- text strings -
Spreading in e-mails
Fizzer worm collects e-mail addresses from Windows and Outlook Address Books on an infected computer and also from different files in personal folders, cookie folders, recently opened files folder and Internet cache directories.
The worm sends itself in e-mail messages to all found addresses. Subjects, bodies and attachment names are randomly selected by the worm from its large internal lists. The worm can also use the names of innocent files from an infected system's hard disk for its attachment. Attachment extensions can be .EXE, .PIF, .SCR and .COM.
Spreading in Kazaa P2P networks
The worm is capable of spreading itself in Kazaa P2P (peer-to-peer) networks. Fizzer worm locates Kazaa shared folder on an infected computer and copies itself there with random names. Any person who connects to an infected computer and runs files downloaded from its shared folder becomes infected with the worm.
The worm records user's keystrokes and writes them into ISERVC.KLG file located in the Windows folder. This file can be picked by a hacker, so he can get access to user's logins and passwords as well as to user's confidential info.
The worm connects to AOL server on port 5190 with a random user name creating a bot. A hacker can establish connection to the bot and control the behaviour of the worm remotely.
The worm tries connect to different IRC servers and create bots in a certain channel there. These bots can be used by the worm's author to get a limited access to an infected systems. The worm has a long list of IRC servers in its resources. Here are some of IRC servers names that the worm uses:
Additional backdoor capabilities
The worm has additional backdoor capabilities. It listens to ports 2018-2021 for commands from a remote host (hacker's computer). The ports are used for the following purposes:
2018 - command port( sending/receiving commands)
The worm can also start an HTTP server on port 81 to provide additional access to an infected computer.
2019 - file port(sending/receiving files)
2020 - console port (controlling the worm's behaviour)
2021 - video port (capturing video and sending it out)
The worm has the ability to kill tasks of certain anti-virus programs. It kills processes if they have the following strings in their names:
The worm can perform a DoS (Denial of Service) attack if it receives a specific command from a remote hacker.
The worm has the ability to update itself from a website. It connects to a website, downloads an update and saves it as UPD.BIN file in Windows folder. However the website with the updates for the worm is not available any longer.
The current variant of the worm can uninstall itself if a file with the following name is found in Windows directory:
When the worm finds any file with this name, it kills its tasks and removes its registry keys thus disinfecting a system.
[Description: F-Secure Anti-Virus Research Team; May 9-12th, 2003]