Home / malware Worm:W32/Fizzer
First posted on 27 July 2010.
Source: SecurityHomeAliases :
There are no other names known for Worm:W32/Fizzer.
Explanation :
A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.
Additional Details Worm:W32/Fizzer spreads in infected e-mail messages and in the Kazaa peer-to-peer (P2P) file-sharing network.
Below is a screenshot of a Fizzer e-mail message:
The Fizzer worm contains a built-in IRC backdoor, a Denial of Service (DoS) attack tool, a data-stealing Trojan (uses external keylogger DLL), an HTTP server and other components. The worm has the functionality to kill the tasks of certain anti-virus programs. Additionally, the worm has automatic updating capabilities.
Note
Fizzer is a complex e-mail worm that appeared on May 8, 2003.
F-Secure is upgrading the Fizzer worm to Level 1 as this complex e-mail/P2P worm continues to spread rapidly. It is currently one of the most widespread viruses in the world.
Installation
The worm spreads its dropper as an e-mail attachment. When a user activates a dropper, it creates a file called ISERVC.EXE in a temporary folder and activates it.
The ISERVC.EXE file is the main component of the worm. It copies itself to the Windows directory with the following names:
€ ISERVC.EXE € INITBAK.DAT
It then drops 2 more files in the Windows directory:
€ ISERVC.DLL € PROGOP.EXE
The ISERVC.DLL file is a key-logging component and the PROGOP.EXE file is a pure dropper code. Before sending itself out, the worm re-assembles its file using this dropper.
The ISERVC.EXE file contains the 'Sparky will reign.' string in its header, as shown in the screen shot:
It should be noted that the worm uses its resource section to store its own text strings and additional files that it drops. This method is very rarely used by malicious programs.
The main file of the worm has 5 resources in its body. All of the resources except the first one are encrypted and compressed. Only the first resource is compressed. The structure of the resources are the following:
€ e-mail address list € progop.exe file € iservc.dll file € behavior script € text strings
The behavior script contains major settings for the worm, such as its installation name and folder. This script also controls the worm's behavior in certain conditions. For example, when the date changes, the worm logs out from IRC, waits for some time and then logs back in again.
Payload
The worm has the ability to kill the tasks of certain anti-virus programs. It kills all processes with the following strings in their names:
€ NAV € SCAN € AVP € TASKM € VIRUS € F-PROT € VSHW € ANTIV € VSS € NMAIN
The worm can perform a DoS (Denial of Service) attack if it receives a specific command from a remote hacker.
The worm has the ability to update itself from a web site. It connects to a web site, downloads an update and saves it as UPD.BIN file in the Windows main folder. However, the web site with the updates for the worm is no longer available.
The worm can also uninstall itself if a file with the following name is found in the Windows main directory:
€ Uninstall.pky
When the worm finds a file with this name, it kills all its tasks and removes its registry keys thus disinfecting a system.
Keylogging Trojan
The worm records users' keystrokes and writes them into an ISERVC.KLG file located in the Windows folder. This file can be picked by a hacker, so he can get access to users' login names and passwords as well as to their confidential data.
AOL Backdoor
The worm connects to the AOL server on port 5190 with a random user name, creating a bot. A hacker can then establish a connection to the bot and remotely control the worm.
IRC Backdoor
The worm tries to connect to different IRC servers and create bots in a certain channels there. The author of the worm can use these bots to get limited access to infected systems.
The worm has a long list of IRC servers in its resources. Here are some of the IRC server names that the worm uses:
€ irc.afternet.org € irc.dal.net € irc.eu.dal.net € irc.ablenet.org € irc.abovenet.org € irc.accessirc.net € irc.aceirc.net € irc.all-defiant.org € irc.allochat.net € irc.alphanine.net € irc.altnet.org € irc.amcool.net € irc.amiganet.org € irc.angeleyez.net € irc.aniverse.com € irc.another.net € irc.arabchat.org € irc.arabmirc.net € irc.astrolink.org € irc.asylum-net.org € irc.auirc.net € irc.aurosoniq.net € irc.auscape.org € irc.aussiechat.org € irc.awesomechat.net € irc.awesomechristians.com € irc.axenet.org € irc.aXpi.net € irc.ayna.org € irc.azzurra.org € irc.bahamutirc.net € irc.bappy.eu.org € irc.bdsm-net.com € irc.beyondirc.net
Additional Backdoor Capabilities
The worm has additional backdoor capabilities. It listens to ports 2018-2021 for commands from a remote host (the hacker's computer). The ports are used for the following purposes:
€ 2018 - command port (sending/receiving commands) € 2019 - file port (sending/receiving files) € 2020 - console port (remote console) € 2021 - video port (capturing video and sending it out)
The worm's author can access these ports with a backdoor program's specially-modified client; the remote console port can be connected to a Telnet application. Here's how the remote console looks like:
The worm can also start an HTTP server on port 81 to provide additional access to an infected computer. Here's a screen shot of the worm's HTTP server interface:
Propagation (E-mail)
The Fizzer worm primarily spread via infected e-mail attachments. To create the e-mail messages that serve as carriers for the attachments, the worm randomly selects message subjects and bodies from its internal lists, which are quite big.
The infected attachments are also named by randomly selecting a name from its internal lists. Attachment extensions can be either in .EXE, .PIF, .SCR or .COM. The worm can also use the names of innocent files from an infected system's hard disk for its attachment name.
The worm also spoofs, or fakes, the sender's e-mail address; to do so, it composes fake addresses by combining selections from its internal lists. The fake sender's e-mail address may contain a name (for example, Rebecca), a random number and one of these domains:
€ msn.com € hotmail.com € yahoo.com € aol.com € earthlink.net € gte.net € juno.com € netzero.com
The Fizzer worm collects e-mail addresses from the Windows and Outlook Address Books on the infected computers. It also collects e-mail addresses from files in the machine's personal folders, cookie folders, recently opened files folders and Internet cache directories.
The worm sends itself in e-mail messages to all the addresses it finds. Here is an example of what an infected e-mail message might look like:
€ Subject: I thought this was interesting... € Body: If you don't like it, just delete it. € Attachment: Jesus123.exe
The worm is able able to use German strings to compose the e-mail messages.
Propagation (File-Sharing)
The Fizzer worm locates the Kazaa shared folder on an infected computer and copies itself there with random names.
Any person who connects to an infected computer and executes files downloaded from its shared folder becomes infected with the worm.
Registry
The worm creates a startup key for its main component in the registry. As a result, the main file of the worm is activated for each Windows session.
Additionally, the worm modifies the text file startup string:
€ [HKEY_CLASSES_ROOT\txtfile\shell\open\command]
@ = "%windir%\ProgOp.exe 0 7 '%windir%\NOTEPAD.EXE %1'
'%windir%\initbak.dat' '%windir%\iservc.exe'
Where %windir% is the Windows main directory.
Detection
F-Secure Anti-Virus detects Fizzer worm with the updates published on May 9th, 2003:
Version=2003-05-09_03Last update 27 July 2010