[Virus Alert] CodeName: Fizzer
Posted: Wed May 14, 2003 3:32 pm
Report from http://www.mcafee.com
For the full report and how to protect your computer visit the following link: http://vil.mcafee.com/dispVirus.asp?virus_k=100295
Name: W32/Fizzer@MM
Risk Assessment
- Home Users: Medium
- Corporate Users: Medium
Date Discovered: 5/8/2003
Date Added: 5/8/2003
Origin: Unknown
Length: Varies
Type: Virus
SubType: E-mail
For the full report and how to protect your computer visit the following link: http://vil.mcafee.com/dispVirus.asp?virus_k=100295
Name: W32/Fizzer@MM
Risk Assessment
- Home Users: Medium
- Corporate Users: Medium
Date Discovered: 5/8/2003
Date Added: 5/8/2003
Origin: Unknown
Length: Varies
Type: Virus
SubType: E-mail
This mass-mailing worm has many components and an internal timer to trigger different processes at different times. These include:
Mass-mailing itself to addresses gathered from different places
Outlook Contacts list
Windows Address Book (WAB)
Addresses found on the local system
Randomly manufactured addresses
IRC bot (Internet Relay Chat)
AIM bot (AOL Instant Messenger)
Keylogger
KaZaa worm
HTTP server
Remote access server
Self-updating mechanism
Anti-virus software termination
The worm contains its own SMTP engine and uses the default SMTP server as specified in the Internet Account Manager registry settings. It can also use any one of several hundred different external SMTP servers.
The worm arrives as an email attachment in various messages. The from address can be forged such that the apparent sender is not the actual sender. Message body and subject lines vary, as do attachment names. Attachments use standard executable extensions (.com, .exe, .pif, .scr). Such as:
Subject: why?
Body: The peace
Attachment: desktop.scr
Subject: Re: You might not appreciate this...
Body: lautlach
Attachment: service.scr
Subject: Re: how are you?
Body: I sent this program (Sparky) from anonymous places on the net
Attachment: Jesse20.exe
Subject: Fwd: Mariss995
Body: There is only one good, knowledge, and one evil, ignorance.
Attachment: Mariss995.exe
Subject: Re: The way I feel - Remy Shand
Body: Nein
Attachment: Jordan6.pif
When the attachment is run, the worm first looks for a UNINSTALL.PKY file in WINDOWS folder. If this file exists, it terminates and does not infected the machine. Othervise it extracts several files to the WINDOWS (%WinDir%) directory.
initbak.dat - A copy of the worm
iservc.exe - A copy of the worm
ProgOp.exe (15,360 bytes) - Process handling
iservc.dll (7,680 bytes) - Handles timing and windows hooking/keylogging
The worm creates a registry run key to load itself at system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "SystemInit" = C:\WINDOWS\ISERVC.EXE
It also modifies the handling of files with a .TXT extension, such that accessing a .TXT file results in the worm being run:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
"(Default)" = C:\WINDOWS\ProgOp.exe 0 7 'C:\WINDOWS\NOTEPAD.EXE %1'
'C:\WINDOWS\initbak.dat' 'C:\WINDOWS\ISERVC.EXE'
It creates a new CLASSES ROOT key with a similar association:
HKEY_CLASSES_ROOT\Applications\ProgOp.exe
On WinNT/2K/XP systems the worm creates a service named S1TRACE.
Mailing routine
After several minutes, the worm uses its own SMTP engine to send itself to all addresses on the Outlook Contacts List. It also sends itself to random addresses. Such as:
Part 1
Random name (from internal list)
Part 2
Random number (optional)
Part 3
@Random domain (from internal list)
aol.com
earthlink.com
gte.net
hotmail.com
juno.com
msn.com
netzero.com
yahoo.com
The subject and message body are constructed from a large list of English and German words and phrases carried within the virus body. The attachment name is also constructed from a list of names followed by a number followed by .com, .exe, .pif, or .scr. Additionally filenames may be chosen by copying the name of a valid file on the infected senders machine (ie.desktop.ini -> desktop.scr).
IRC Bot
The worm pings many different IRC servers. When it receives a reply, it connects to a channel on that server using many different internal usernames, and waits for further instructions from an attacker. The list of IRC servers includes:
irc2p2pchat.net
irc.idigital-web.com
irc.cyberchat.org
irc.othernet.org
irc.beyondirc.net
irc.chatx.net
irc.cyberarmy.com
irc.gameslink.net
AOL Bot
The worm connects to an AIM site to register a new, randomly named, user (in a similar fashion to the AIM-Canbot trojan). It then connects to an AIM chat server on port 5190, joins a chat session, and listens for further instructions.
Self-updating
The worm connects to a geocities user page to download updates. However, at the time of this writing that user site did not exist.
Keylogger
The worm captures typed keystrokes and stores them in a encrypted file named iservc.klg within the Windows directory.
KaZaa worm
The worm retrieves the default download directory for KaZaa from the registry and copies itself to that location using random filenames.
HTTP server
The worm runs an HTTP server on port 81. The webserver acts as a command-console, displaying information about the infected system (System time, connection information, OS version, IRC and AIM information). It also allows an attacker to kick-off certain functions, such as a Denial of Service attack, mail propagation, AOL/IRC bot commands, and anti-virus software termination).
Remote access server
The worm creates a remote access server by listening on ports 2018, 2019, 2020, and 2021.
Anti-virus software termination
The worm attempts to terminate processes that contain the following phrases in their names:
ANTIV
AVP
F-PROT
NMAIN
SCAN
TASKM
VIRUS
VSHW
VSS