Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2003-05-13 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Fizzer Virus / Backdoor

Published: 2003-05-13
Last Updated: 2003-05-15 02:08:53 UTC
by Handlers (Version: 1)
0 comment(s)
A new mass mailing virus, currently labeled "Win32.Fizzer.A" is spreading for the last few days. The payload of this virus contains a few interesting features:

- In addition to e-mail, the virus uses the P2P system Kazaa to spread.

- it will try to terminate anti virus scanners.

- The virus includes a key stroke logger

- In addition to permitting remote control via AOL Instant Messenger or IRC.

The IRC component is in particular interesting. It includes a long list of
IRC servers. The infected system will join a password protected channel on one
of these systems to wait for commands.

"Fizzer" attempts to hide its bot-nature in this IRC channel, by using regular
looking name. Occasionally, the bots will "chat" by sending a random string to the channel.

A summary from an IRC operator's perspective can be found in this mailing list
post:

http://www.dshield.org/pipermail/list/2003-May/008165.php

Counter Measures:

Current Anti Virus filters will detect 'Fizzer'. Stripping executable attachments will work as well.

Detection:

The virus will create the files "iservc.exe" and "initbak.dat" in the infected machine's Windows directory. See the Anti Virus vendor links below for a more complete list.

Removal:

According to BullGuard antivirus, create an empty file 'UNINSTALL.PKY' in your Windows folder, wait one minute and then delete the file progOp.exe from the Windows folder.
More details:

http://www.dshield.org/pipermail/list/2003-May/008165.php
http://www.bullguard.com/antivirus/vit_fizzer_a.aspx

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.fizzer@mm.html

http://vil.mcafee.com/dispVirus.asp?virus_k=100295

http://www.kaspersky.com/news.html?id=977151

http://www.microsoft.com/technet/security/virus/alerts/fizzer.asp
--------------------------------------------------------

please send any observations to isc@sans.org

Keywords:
0 comment(s)
Diary Archives