FRISK Software International


Summary of W32/Fizzer.A@mm
Alias:Win32.Fizzer, W32/Fizzer-A , WORM_FIZZER.A , Fizzer, I-Worm.Fizzer
Discovered: 8 May 2003
Definition files: 12 May 2003
Risk Level: Low
Distribution:Low
Infection Method:Infected e-mail attachments and through a file-sharing network
 
Jump to:
Brief description
Technical description

Brief Description
Fizzer is a complex e-mail worm that appeared on the 8th of May, 2003. The worm can spread itself in e-mails and in Kazaa P2P (peer-to-peer) file sharing network. Fizzer worm has a built-in IRC backdoor, a DoS (Denial of Service) attack tool, a data stealing trojan (uses external keylogger DLL), an HTTP server and some more components. The worm has the functionality to kill tasks of certain anti-virus programs. Additionally the worm has autoupdating capabilities.

Fizzer worm spreads in e-mails as an attachment with .EXE, .PIF, .SCR and .COM extensions. Attachment names, subjects and bodies are randomly selected by the worm from its internal lists. E-mail addresses are collected by the worm from Windows and Outlook Address Books on an infected computer and also from different files on a hard disk.


Technical Description
The worm spreads its dropper as an e-mail attachment. When a user activates a dropper, it creates a file called ISERVC.EXE in a temporary folder and activates it. The ISERVC.EXE file is the main worm's component. It copies itself to Windows directory with the following names:
ISERVC.EXE
INITBAK.DAT
Then it drops 2 more files in to Windows directory:
ISERVC.DLL
PROGOP.EXE
The ISERVC.DLL file is a keylogging component and the PROGOP.EXE file is a pure dropper code. Before sending itself out, the worm re-assembles its file using this dropper.

The ISERVC.EXE file contains the 'Sparky will reign' string in its header.

It should be noted that the worm uses its resource section to store its own text strings and additional files that it drops. This method is very rarely used by malicious programs.

The worm creates a startup key for its main component in System Registry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "SystemInit" = "%windir%\iservc.exe]
where %windir% is Windows directory. As a result the worm's main file is activated during each Windows session.

Additionally the worm modifies the text file startup string:
[HKEY_CLASSES_ROOT\txtfile\shell\open\command] @ = "%windir%\ProgOp.exe 0 7 '%windir%\NOTEPAD.EXE %1' '%windir%\initbak.dat' '%windir%\ISERVC.EXE'File" menu."
where %windir% is Windows directory.

The worm's main file has 5 resources in its body. All resources except the first one are encrypted and compressed. The first resource is only compressed. The structure of resources is the following:
- e-mail address list -
- progop.exe file -
- iservc.dll file -
- behaviour script -
- text strings -
The behaviour script contains major settings for the worm for example its installation name and folder. This script also controls the worm's behaviour in certain conditions, for example when the date changes, the worm logs out from IRC, waits for some time and then logs back in.

Spreading in e-mails

Fizzer worm collects e-mail addresses from Windows and Outlook Address Books on an infected computer and also from different files in personal folders, cookie folders, recently opened files folder and Internet cache directories.

The worm sends itself in e-mail messages to all found addresses. Subjects, bodies and attachment names are randomly selected by the worm from its large internal lists. The worm can also use the names of innocent files from an infected system's hard disk for its attachment. Attachment extensions can be .EXE, .PIF, .SCR and .COM.

Spreading in Kazaa P2P networks

The worm is capable of spreading itself in Kazaa P2P (peer-to-peer) networks. Fizzer worm locates Kazaa shared folder on an infected computer and copies itself there with random names. Any person who connects to an infected computer and runs files downloaded from its shared folder becomes infected with the worm.

Keylogging trojan

The worm records user's keystrokes and writes them into ISERVC.KLG file located in the Windows folder. This file can be picked by a hacker, so he can get access to user's logins and passwords as well as to user's confidential info.

AOL backdoor

The worm connects to AOL server on port 5190 with a random user name creating a bot. A hacker can establish connection to the bot and control the behaviour of the worm remotely.

IRC backdoor

The worm tries connect to different IRC servers and create bots in a certain channel there. These bots can be used by the worm's author to get a limited access to an infected systems. The worm has a long list of IRC servers in its resources. Here are some of IRC servers names that the worm uses:
irc.afternet.org
irc.dal.net
irc.eu.dal.net
irc.ablenet.org
irc.abovenet.org
irc.accessirc.net
irc.aceirc.net
irc.all-defiant.org
irc.allochat.net
irc.alphanine.net
irc.altnet.org
irc.amcool.net
irc.amiganet.org
irc.angeleyez.net
irc.aniverse.com
irc.another.net
irc.arabchat.org
irc.arabmirc.net
irc.astrolink.org
irc.asylum-net.org
irc.auirc.net
irc.aurosoniq.net
irc.auscape.org
irc.aussiechat.org
irc.awesomechat.net
irc.awesomechristians.com
irc.axenet.org
irc.aXpi.net
irc.ayna.org
irc.azzurra.org
irc.bahamutirc.net
irc.bappy.eu.org
irc.bdsm-net.com
irc.beyondirc.net
Additional backdoor capabilities

The worm has additional backdoor capabilities. It listens to ports 2018-2021 for commands from a remote host (hacker's computer). The ports are used for the following purposes:

2018 - command port( sending/receiving commands)
2019 - file port(sending/receiving files) 2020 - console port (controlling the worm's behaviour)
2021 - video port (capturing video and sending it out)
The worm can also start an HTTP server on port 81 to provide additional access to an infected computer.

Payload

The worm has the ability to kill tasks of certain anti-virus programs. It kills processes if they have the following strings in their names:
NAV
SCAN
AVP
TASKM
VIRUS
F-PROT
VSHW
ANTIV
VSS
NMAIN
The worm can perform a DoS (Denial of Service) attack if it receives a specific command from a remote hacker.

Autoupdating feature

The worm has the ability to update itself from a website. It connects to a website, downloads an update and saves it as UPD.BIN file in Windows folder. However the website with the updates for the worm is not available any longer.

Uninstallation feature

The current variant of the worm can uninstall itself if a file with the following name is found in Windows directory:
Uninstall.pky
When the worm finds any file with this name, it kills its tasks and removes its registry keys thus disinfecting a system.


[Description: F-Secure Anti-Virus Research Team; May 9-12th, 2003]
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is