Virus alert: Network Associates AVERT places medium watch risk assessment on new mass mailing worm Fizzer

AVERT (Anti-Virus Emergency Response Team), the anti-virus research division of Network Associates, has assigned a medium-on-watch risk assessment to the recently discovered W32/Fizzer@MM also known as Fizzer.

Says Christopher Bray, Network Associates regional director of sub-Saharan Africa: "Fizzer is a destructive mass-mailing worm that uses its own SMTP engine to mail itself to all contacts in the users address book including Outlook, Windows Address Book, in addition to any addresses found on the local system or randomly manufactured addresses. Fizzer also contains an internal timer to trigger different processes at different times."

It was first discovered on 8 May and has been reported to AVERT from customers in many regions in the world including North America, Europe, Japan, and other countries in the Asia Pacific region.

The Fizzer is an Internet worm that once activated, e-mails itself to everyone in the user`s Microsoft Outlook, Windows Address Book, any addresses found on the local system, and randomly manufactured addresses on the user`s system. The worm contains its own SMTP engine and uses the default SMTP server as specified in the Internet Account Manager registry settings, and can also use any one of several hundred different external SMTP servers.

The "from" address can be forged, so that the apparent sender is not the actual sender. The body of the message and subject line varies, as does the attachment name. The subject and message body are constructed from a large list of English and German words and phrases carried within the virus body. Attachments use standard executable extensions including .com, .exe, .pif, and .scr. Users should immediately delete any e-mail containing the following:

Subject: why?

Body: The peace

Attachment: desktop.scr

Subject: Re: You might not appreciate this...

Body: lautlach

Attachment: service.scr

Subject: Re: how are you?

Body: I sent this program (Sparky) from anonymous places on the net

Attachment: Jesse20.exe

Subject: Fwd: Mariss995

Body: There is only one good, knowledge, and one evil, ignorance.

Attachment: Mariss995.exe

Subject: Re: The way I feel - Remy Shand

Body: Nein

Attachment: Jordan6.pif

After being executed, Fizzer extracts several files to the Windows directory, including initbak.dat, iservc.exe, ProgOp.exe or iservc.dll, and creates a registry run key to load itself at system startup. The worm also modifies the handling of files with a .txt extension, so that accessing .txt files causes Fizzer to run and creates a new root key with a similar association. On WinNT/2K/XP systems the worm creates a service named S1TRACE.

Fizzer also pings many different IRC servers. When it receives a reply from those servers, it connects to a channel on that server using many different internal usernames, and waits for further instructions from an attacker. The list of IRC servers includes:

irc2p2pchat.net

irc.idigital-web.com

irc.cyberchat.org

irc.othernet.org

irc.beyondirc.net

irc.chatx.net

irc.cyberarmy.com

irc.gameslink.net

Fizzer spreads via multiple methods including KaZaa and e-mail, mass-mailing itself to many addresses and sometimes forging the sender address. It is received as an executable attachment and requires users to launch the virus through the attachment in order to get infected.

Bray continues: "Because Fizzer uses multiple components and an internal timer to trigger different processes, the worm also connects to an AOL Instant Messenger (AIM) site to register a new, randomly named, user. It then connects to an AIM chat server on port 5190, joins a chat session, and listens for further instructions. Fizzer also spreads via multiple methods including KaZaa, retrieving the default download directory for KaZaa from the registry and copies itself to that location using random filenames."

Once Fizzer is launched, the worm captures typed keystrokes and stores them in an encrypted file named iservc.klg within the Windows directory. It will also run on an HTTP server on a configured port, and allows an attacker to launch certain functions, such as a denial of service attack, mail propagation, AOL/IRC bot commands, and anti-virus software termination.

Fizzer will attempt to terminate processes that contain the following phrases in their names:

ANTIV

AVP

F-PROT

NMAIN

SCAN

TASKM

VIRUS

VSHW

VSS Users will know they have been affected by unexpected traffic on port 6667 (IRC) or 5190 (AIM) and the presence of the aforementioned filenames and registry keys.

Immediate information and cure for this virus can be found online at the Network Associates AVERT site located at http://vil.nai.com/vil/content/v_100295.htm.

Users of McAfee Security anti-virus products should update their systems from that page and use the 4.2.40 engine for the most optimal detection and removal and to stop potential damage.