TCS - Fizzer Worm Targets Email, KaZaA Users

Fizzer Worm Targets Email, KaZaA Users
Disables security software and drops keylogging Trojan to system

by Ira Wilsker
Golden Triangle PC Club
From the June 2003 issue of the I/O Port Newsletter

Discovered on May 08, 2003, Fizzer (a.k.a. W32/Fizzer@MM, W32/Fizzer.A, and Worm/Fizzu.A worm) spreads via email and the KaZaA P2P network. According to antivirus vendor F-Secure, Fizzer contains a built-in IRC backdoor, a DoS (Denial of Service) attack tool, a data stealing trojan, an HTTP server and autoupdating capabilities. The worm also has the ability to disable certain antivirus programs.

Fizzer culls addresses from both the Windows and Outlook Address Book and also uses random Yahoo and Hotmail addresses. The email message it composes is randomly derived from a long list of internal selections and may appear in either English or German. The email attachment will also be randomly named, but will have either a .COM, .EXE, .PIF, or .SCR extension.

Fizzer also targets the KaZaA P2P (peer to peer) network, copying itself to the KaZaA shared folder under a variety of filenames. KaZaA participants who download from the shared folder on an infected machine risk receiving the infected files.

The Fizzer worm kills processes which have NAV, SCAN, AVP, TASKM, VIRUS, F-PROT, VSHW, ANTIV, VSS, or NMAIN in their name. This action disables certain antivirus tasks or programs. Affected products include the popular Norton Antivirus and McAfee VirusScan software.

Fizzer also installs a keylogging Trojan that records keystrokes to a log file which can then be retrieved through a backdoor utility also installed by Fizzer. The backdoor is accessible via IRC channels, HTTP, and Telenet. Fizzer auomatically updates itself, thus additional functionality may be added or changes made which can affect the working of the worm.

Manual Detection and Removal of Fizzer The following instructions involve modifying the System Registry. Improperly editing the system registry can adversely affect the operating system.

Search the System Registry for the following:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "SystemInit" = "C:\Windows\iservc.exe"

HKEY_CLASSES_ROOT\txtfile\shell\open\command (Default) = "C:\Windows\ProgOp.exe 0 7 'C:\Windows\NOTEPAD.EXE %1' 'C:\Windows\initbak.dat' 'C:\Windows\ISERVC.EXE'

F-Secure provides a free tool to remove the registry edits made by Fizzer:

ftp://ftp.europe.f-secure.com/anti-virus/tools/fix_fizz.reg

After correcting the registry, reboot the system. Search the Windows directory for the following files and delete them:

INITBAK.DAT ISERVC.EXE ISERVC.DLL PROGOP.EXE

If you use KaZaA, you can expect a large number of files in your shared KaZaA folder to be copies of the worm. Scan the system with updated antivirus software to remove any further instances of Fizzer.



For more information on the Tulsa Computer Society click here



Tulsa Computer Society 6/02/2003
Don Singleton, President