A new mass mailing virus, currently labeled "Win32.Fizzer.A" is spreading for the last few days. The payload of this virus contains a few interesting features:
- In addition to e-mail, the virus uses the P2P system Kazaa to spread.
- it will try to terminate anti virus scanners.
- The virus includes a key stroke logger
- In addition to permitting remote control via AOL Instant Messenger or IRC.
The IRC component is in particular interesting. It includes a long list of
IRC servers. The infected system will join a password protected channel on one
of these systems to wait for commands.
"Fizzer" attempts to hide its bot-nature in this IRC channel, by using regular
looking name. Occasionally, the bots will "chat" by sending a random string to the channel.
A summary from an IRC operator's perspective can be found in this mailing list
Current Anti Virus filters will detect 'Fizzer'. Stripping executable attachments will work as well.
The virus will create the files "iservc.exe" and "initbak.dat" in the infected machine's Windows directory. See the Anti Virus vendor links below for a more complete list.
According to BullGuard antivirus, create an empty file 'UNINSTALL.PKY' in your Windows folder, wait one minute and then delete the file progOp.exe from the Windows folder.
please send any observations to email@example.com
May 15th 2003
1 decade ago