Discovered on May/08/03, Fizzer (a.k.a. W32/Fizzer@MM, W32/Fizzer.A, and Worm/Fizzu.A worm) spreads via email and the KaZaA P2P network. According to antivirus vendor F-Secure, Fizzer contains a built-in IRC backdoor, a DoS (Denial of Service) attack tool, a data stealing trojan, an HTTP server and autoupdating capabilities. The worm also has the ability to disable certain antivirus programs. "This is one of the more complicated worms we've seen", comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure. "The worm is 200kB of code spaghetti, containing backdoors, code droppers, attack agents, key loggers and even a small web server!"
Fizzer culls addresses from both the Windows and Outlook Address Book and also uses random Yahoo and Hotmail addresses. "Fizzor actually creates random e-mail addresses and targets them", explains Hypponen. "This is done by picking random names and numbers and creating addresses belonging to large services such as Hotmail - these addresses might look like BOB246@MSN.COM or JACK555@YAHOO.COM."
The email message composed by Fizzer is randomly derived from a long list of internal selections and may appear in either English or German. The email attachment will also be randomly named, but will have either a .COM, .EXE, .PIF, or .SCR extension.
Fizzer also targets the KaZaA P2P (peer to peer) network, copying itself to the KaZaA shared folder under a variety of filenames. KaZaA participants who download from the shared folder on an infected machine risk receiving the infected files.
The Fizzer worm kills processes which have NAV, SCAN, AVP, TASKM, VIRUS, F-PROT, VSHW, ANTIV, VSS, or NMAIN in their name. This action disables certain antivirus tasks or programs. Affected products include the popular Norton Antivirus and McAfee VirusScan software.
Fizzer also installs a keylogging Trojan that records keystrokes to a log file which can then be retrieved through a backdoor utility also installed by Fizzer. The backdoor is accessible via IRC channels, HTTP, and Telenet. Fizzer auomatically updates itself, thus additional functionality may be added or changes made which can affect the working of the worm.
See Also
online technical support
windows vista sp2 : increases in free disk
Quick access to programs in control panel
How To Enable / Disable File Sharing in Windows XP
Fizzer culls addresses from both the Windows and Outlook Address Book and also uses random Yahoo and Hotmail addresses. "Fizzor actually creates random e-mail addresses and targets them", explains Hypponen. "This is done by picking random names and numbers and creating addresses belonging to large services such as Hotmail - these addresses might look like BOB246@MSN.COM or JACK555@YAHOO.COM."
The email message composed by Fizzer is randomly derived from a long list of internal selections and may appear in either English or German. The email attachment will also be randomly named, but will have either a .COM, .EXE, .PIF, or .SCR extension.
Fizzer also targets the KaZaA P2P (peer to peer) network, copying itself to the KaZaA shared folder under a variety of filenames. KaZaA participants who download from the shared folder on an infected machine risk receiving the infected files.
The Fizzer worm kills processes which have NAV, SCAN, AVP, TASKM, VIRUS, F-PROT, VSHW, ANTIV, VSS, or NMAIN in their name. This action disables certain antivirus tasks or programs. Affected products include the popular Norton Antivirus and McAfee VirusScan software.
Fizzer also installs a keylogging Trojan that records keystrokes to a log file which can then be retrieved through a backdoor utility also installed by Fizzer. The backdoor is accessible via IRC channels, HTTP, and Telenet. Fizzer auomatically updates itself, thus additional functionality may be added or changes made which can affect the working of the worm.
See Also
online technical support
windows vista sp2 : increases in free disk
Quick access to programs in control panel
How To Enable / Disable File Sharing in Windows XP
No comments:
Post a Comment