Home / malwarePDF  

Win32.Fizzer.A@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Fizzer.A@mm is also known as W32/Fizzer-A, I-Worm.Fizzer, W32.HLLW.Fizzer@mm, W32/Fizzer@MM.

Explanation :

This mass mailer can spread through e-mail and Kazaa, has backdoor and keylogger abilities. The backdoor component uses Mirc and AIM (AOL Instant Messenger) thus allowing the author to issue commands on the victim's computer.

Usually, this virus arrives via e-mails that have attachments with the next extensions:
EXE, PIF, COM, SCR

The e-mail is constructed (subject, body) from various strings and may contain one of the following:

I thought this was interesting...
rather psychedelic...
found this on the net, you might like it...
discotheque
imbrue
Damn it feels good to be gangsta.
The way I feel - Remy Shand
Paradigm Shift
WASSUP!
Know Thyself
Hell
I love you
Please discard if you don't like or agree with our present leadership...
little popup remover
B cannot remember
Yo, WASSUP, B?
an interesting program...
You might not appreciate this...
I think you might find this amusing...
LOL
check this out... hehehe
question...
see you tomorrow.
how are you?
you need to lose weight.
why?
kind of simple, but fun nonetheless.
check it out.
I sent this program (Sparky) from anonymous places on the net.
The way to gain a good reputation is to endeavor to be what you desire to appear.
There is only one good, knowledge, and one evil, ignorance.
Watchin' the game, having a bud.
Did you ever stop to think that viruses are good for the economy? Maybe the primary creators of the world's worst viruses are the companies that make the Anti-Virus software.
Today is a good day to die...
so, how are you?
the attachment is only for you to look at
you must not show this to anyone...
delete this as soon as you look at it...
Let me know what you think of this...
If you don't like it, just delete it.
thought I'd let you know
you don't have to if you don't want to.

Once run, the virus attempts to terminate processes whose names contain:
NAV, SCAN, AVP, TASKM, VIRUS, F-PROT, VSHW, ANTIV, VSS, NMAIN

It creates SparkyMutex mutex in order to allow only one instance of itself in memory.

It harvests e-mail addresses from the Windows Address Book, Cookies, Internet Temporary Files folder, and also My Documents folder, and stores them in data1-2.cab file in Windows folder. It uses the default configured MAPI program to send itself to the harvested e-mail addresses.

The mass-mailer uses a specific configuratin file, in which it stores all its information. The virus uses an engine, Sparky, that could be updated (originally via an internet address).

The keylogger component (iservc.dll) will save captured keystrokes to file iservc.klg or to a backup file, wavckb.dlb, located in Windows folder.

It has backdoor abilities, and attempts to randomly connect to one of the following irc servers, to a password protected channel, (using a random nick) where the author can issue commands on the infected computer:
irc.afternet.org
irc.dal.net
irc.eu.dal.net
irc.ablenet.org
irc.abovenet.org
irc.accessirc.net
irc.aceirc.net
irc.all-defiant.org
irc.allochat.net
irc.alphanine.net
irc.altnet.org
irc.amcool.net
irc.amiganet.org
irc.angeleyez.net
irc.aniverse.com
irc.another.net
irc.arabchat.org
irc.arabmirc.net
irc.astrolink.org
irc.asylum-net.org
irc.auirc.net
irc.aurosoniq.net
irc.auscape.org
irc.aussiechat.org
irc.awesomechat.net
irc.awesomechristians.com
irc.axenet.org
irc.aXpi.net
irc.ayna.org
irc.azzurra.org
irc.bahamutirc.net
irc.bappy.eu.org
irc.bdsm-net.com
irc.beyondirc.net
irc.bgirc.net
irc.biggheybear.co.uk
irc.blabber.net
irc.blitzed.org
irc.blueshadownet.org
irc.bolchat.org
irc.brasirc.net
irc.libnet.com.br
irc.brasnerd.com.br
irc.bubblenet.org
irc.bunker7.net
irc.carpenoctum.org
irc.chaosirc.net
irc.chat-net.org
irc.chat-solutions.org
irc.chat4all.org
irc.chatcafe.net
irc.chatchannel.org
irc.chatcircuit.com
irc.chatempire.net
irc.chatlands.org
irc.chatlink.org
irc.chatnut.net
irc.chatpr.org
irc.chatster.org
irc.chatworlds.net
irc.chatx.net
irc.263.net
irc.cineplex1.com
irc.coolchat.net
irc.criten.net
irc.cyberarmy.com
irc.cyberchat.org
irc.cyga.net
irc.dark-storm.net
irc.d-t-net.de
irc.darkfalls.net
irc.darkfire.net
irc.darklitany.com
irc.darkmyst.org
irc.darksystem.com
irc.darktree.net
irc.deepspace.org
irc.diboo.net
irc.different.net
irc.digarix.net
irc.digatech.net
irc.digitalirc.net
irc.discussioni.org
irc.doruk.net.tr
irc.draxnet.org
irc.dreamirc.com
irc.dwarfstar.net
irc.dwchat.net
irc.dynastynet.net
irc.earthlights.net
irc.easychatuk.com
irc.inter.net.il
irc.mpls.ca
irc.qeast.net
irc.inet.tele.dk
irc.isdnet.fr
irc.homelien.no
irc.daxnet.no
irc.efnet.pl
irc.rt.ru
irc.du.se
irc.hemmet.chalmers.se
irc.easynews.com
irc.concentric.net
irc.prison.net
irc.mindspring.com
irc.umn.edu
irc.flamed.net
ircd.lagged.org
irc.secsup.uu.net
irc.weblook2k.com
irc.eleethal.com
irc.enterthegame.com
irc.epiknet.org
irc.esper.net
irc.euirc.net
irc.exodusirc.net
irc.fdfnet.net
irc.fef.net
irc.financialchat.com
irc.fiznet.net
irc.forestnet.org
irc.foreverchat.net
irc.freedomirc.net
irc.fuelie.net
irc.funnet.org
irc.galaxynet.org
irc.gameslink.net
irc.gammaforce.org
irc.german-elite.net
irc.german-freakz.net
irc.globalchat.org
irc.goldchat.nl
irc.goodchatting.com
irc.gulfchat.net
irc.habber.net
irc.hanirc.org
irc.mirc.gr
irc.hells.ca
irc.hinet.net
irc.ice-inferno.com
irc.iceblaze.net
irc.icechat.org
irc.icenet.org.za
irc.idigital-web.com
irc.infatech.net
irc.infomatrix.net
irc.cl
irc.irc-hispano.org
irc.irc-solution.net
irc.ircchat.tk
irc.ircee.com
irc.irchat.net
irc.ircitalia.net
irc.ircmalta.org
irc.fr.ircnet.net
irc.ircd.it
ircnet.netvision.net.il
irc.tokyo.wide.ad.jp
irc.seed.net.tw
irc.belnet.be
ircnet.wanadoo.be
irc.felk.cvut.cz
irc.ircnet.dk
irc.estpak.ee
irc.cs.hut.fi
irc.ee.auth.gr
irc.elte.hu
irc.ircnet.is
irc.simnet.is
irc.tin.it
irc.nl.uu.net
irc.xs4all.nl
irc.snt.utwente.nl
irc.sci.kun.nl
irc.ifi.uio.no
irc.pvv.ntnu.no
irc.msu.ru
irc.ludd.luth.se
ircnet.demon.co.uk
ircnet.easynet.co.uk
irc.stealth.net
irc.ircplanet.org
irc.icq.com
irc.irctoo.net
irc.irctown.net
irc.ircworld.org
irczone.cl
irc.kampungchat.org
irc.kdfs.net
irc.kemik.net
irc.kickchat.com
irc.kidsworld.org
irc.konfido.net
irc.krey.net
irc.krono.net
irc.krushnet.org
irc.lagnet.org.za
irc.langochat.net
irc.ldsirc.net
irc.librenet.net
irc.linkbr.com.br
irc.link-net.org
irc.liquidized.net
irc.lockchat.net
irc.m-sys.org
irc.macron.co.il
irc.magicstar.net
irc.malnet.org
irc.mavra.net
irc.memphisnet.org
irc.mircx.com
irc.mistrider.net
irc.muhabbet.net
irc.musirc.com
irc.mynetpal.org
irc.mysteria.net
irc.mystical.net
irc.narancs.com
irc.neoxys.org
irc.net-france.com
irc.netgamers.org
irc.nevernet.net
irc.newnet.net
irc.nexusirc.org
irc.nightstar.net
irc.nitrousnet.net
irc.novernet.com
irc.nullus.net
irc.openprojects.net
irc.othernet.org
irc.othersideirc.net
irc.outsiderz.com
irc.overgun.net
irc.oz.org
irc.p2pchat.org
irc.peacefulhaven.net
irc.phazenet.com
irc.phrozn.net
irc.ircnet.pl
irc.prochat.org
irc.ptlink.net
irc.ptnet.org
irc.ptworld.org
irc.qchat.net
irc.quakenet.eu.org
irc.quazie.net
irc.quicknet.nl
irc.realirc.org
irc.realmnet.com
irc.rebelchat.org
irc.red-latina.org
irc.redlatona.net
irc.relic.net
irc.renegadeirc.net
irc.rezosup.org
irc.risanet.com
irc.rubiks.net
irc.tsk.ru
irc.sandnet.net
irc.scunc.net
irc.serbiancafe.ws
irc.serenia.net
irc.serv.co.il
irc.sexnet.org
irc.shadowfire.org
irc.shadowworld.net
irc.slashnet.org
irc.sorcery.net
irc.spacetronix.net
irc.spirit-harmony.com
irc.starchat.net
irc.starlink-irc.org
irc.starlink.org
irc.starwars-irc.net
irc.stormdancing.net
irc.tech-chat.net
irc.telstra.com
irc.tlcgraphic.com
irc.tni3.com
irc.touch.net.gr
irc.teklan.com.tr
irc.tri-net.org
irc.twyster.net
irc.uberninja.net
irc.uicn.net
irc.uk-net.org
irc.ultrairc.net
irc.underz.org
irc.unibrasil.org
irc.unionlatina.org
irc.univers.org
irc.usachat.net
irc.voila.fr
irc.wakenet.org
irc.warped.net
irc.watnet.org
irc.weaklinks.net
irc.webchat.org
irc.whatnet.org
irc.winchat.net
irc.worldirc.org
irc.wyldryde.net
irc.xchat.gr
irc.xentonix.net
irc.xevion.net
irc.xnet.org
irc.xworld.org
irc.zanet.net
irc.zerolimit.net
irc.zirc.org
irc.zuh.net
irc.zurna.net

Last update 21 November 2011

 

TOP