Fizzer Virus / Backdoor
A new mass mailing virus, currently labeled "Win32.Fizzer.A" is spreading for the last few days. The payload of this virus contains a few interesting features:
- In addition to e-mail, the virus uses the P2P system Kazaa to spread.
- it will try to terminate anti virus scanners.
- The virus includes a key stroke logger
- In addition to permitting remote control via AOL Instant Messenger or IRC.
The IRC component is in particular interesting. It includes a long list of
IRC servers. The infected system will join a password protected channel on one
of these systems to wait for commands.
"Fizzer" attempts to hide its bot-nature in this IRC channel, by using regular
looking name. Occasionally, the bots will "chat" by sending a random string to the channel.
A summary from an IRC operator's perspective can be found in this mailing list
post:
http://www.dshield.org/pipermail/list/2003-May/008165.php
Counter Measures:
Current Anti Virus filters will detect 'Fizzer'. Stripping executable attachments will work as well.
Detection:
The virus will create the files "iservc.exe" and "initbak.dat" in the infected machine's Windows directory. See the Anti Virus vendor links below for a more complete list.
Removal:
According to BullGuard antivirus, create an empty file 'UNINSTALL.PKY' in your Windows folder, wait one minute and then delete the file progOp.exe from the Windows folder.
More details:
http://www.dshield.org/pipermail/list/2003-May/008165.php
http://www.bullguard.com/antivirus/vit_fizzer_a.aspx
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.fizzer@mm.html
http://vil.mcafee.com/dispVirus.asp?virus_k=100295
http://www.kaspersky.com/news.html?id=977151
http://www.microsoft.com/technet/security/virus/alerts/fizzer.asp
--------------------------------------------------------
please send any observations to isc@sans.org
- In addition to e-mail, the virus uses the P2P system Kazaa to spread.
- it will try to terminate anti virus scanners.
- The virus includes a key stroke logger
- In addition to permitting remote control via AOL Instant Messenger or IRC.
The IRC component is in particular interesting. It includes a long list of
IRC servers. The infected system will join a password protected channel on one
of these systems to wait for commands.
"Fizzer" attempts to hide its bot-nature in this IRC channel, by using regular
looking name. Occasionally, the bots will "chat" by sending a random string to the channel.
A summary from an IRC operator's perspective can be found in this mailing list
post:
http://www.dshield.org/pipermail/list/2003-May/008165.php
Counter Measures:
Current Anti Virus filters will detect 'Fizzer'. Stripping executable attachments will work as well.
Detection:
The virus will create the files "iservc.exe" and "initbak.dat" in the infected machine's Windows directory. See the Anti Virus vendor links below for a more complete list.
Removal:
According to BullGuard antivirus, create an empty file 'UNINSTALL.PKY' in your Windows folder, wait one minute and then delete the file progOp.exe from the Windows folder.
More details:
http://www.dshield.org/pipermail/list/2003-May/008165.php
http://www.bullguard.com/antivirus/vit_fizzer_a.aspx
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.fizzer@mm.html
http://vil.mcafee.com/dispVirus.asp?virus_k=100295
http://www.kaspersky.com/news.html?id=977151
http://www.microsoft.com/technet/security/virus/alerts/fizzer.asp
--------------------------------------------------------
please send any observations to isc@sans.org
Keywords:
0 comment(s)
×
![modal content]()
Diary Archives
Comments