Dillinger
Guerrilla Ontologist
- Joined
- Sep 19, 2000
- Posts
- 26,152
W32.HLLW.Fizzer@mm is a mass-mailing worm that sends itself to all contacts in the Windows Address Book. It contains a backdoor that uses mIRC to communicate with a remote attacker. It also contains a keylogger and attempts to spread through the KaZaA file-sharing network. The worm attempts to terminate the process of various antivirus programs if they are found to be active.
Symantec Security Response has created a tool to remove W32.HLLW.Fizzer@mm - http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.fizzer.removal.tool.html
Also Known As: W32/Fizzer@MM [McAfee], Win32.Fizzer [CA], W32/Fizzer-A [Sophos], WORM_FIZZER.A [Trend], Fizzer [F-Secure], Win32/Fizzer.A@mm [RAV], I-Worm.Fizzer [KAV]
Type: Worm
Infection Length: 241,664 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux
------------------
Article from eWeek magazine:
The Fizzer worm continued to spread rapidly late Monday afternoon as anti-virus experts raced to analyze the code of what they called one of the more complex worms in recent memory. First seen late last week, Fizzer began spreading in Asia initially but then hit Europe and North American hard Monday as office workers started to open e-mails received over the weekend.
As of 4:30 EDT Monday, MessageLabs Inc., a managed service provider in New York that tracks virus activity, had seen more than 25,000 copies of the worm, making it the fifth-most prevalent virus on the Internet this month.
"This is one of the more complicated worms we've seen", comments Mikko Hypponen, manager of anti-virus research at F-Secure Corp., based in Helsinki, Finland. "The worm is 200kB of code spaghetti, containing backdoors, code droppers, attack agents, key loggers and even a small Web server."
The new worm has several other capabilities that make it particularly troubling and dangerous. Fizzer includes an IRC bot that attempts to connect to a number of different IRC servers and, once it establishes a connection, listens passively for further instructions. This kind of activity is often the precursor to a distributed DoS (denial-of-service) attack. The worm also has the ability to create a new user account on AIM (AOL Instant Messenger), join a chat session and then listen for instructions.
But perhaps the most interesting aspect of Fizzer is the HTTP server it contains. The server runs on a configured TCP port and in effect acts as a command console, according to an analysis of the worm by the AVERT team at McAfee Security, part of Network Associates Inc., in Santa Clara, Calif. The console gives the attacker a wealth of information about the infected system, such as its operating system, connection information, and IRC and AIM data.
The HTTP server also gives the attacker the ability to remotely launch DoS attacks, further propagate the work via e-mail, issue commands to the IRC and AIM bots, and kill anti-virus applications.
The keystroke logger records every typed letter and saves the log in an encrypted file on the infected machine. If the infected PC has the Kazaa file-sharing program installed, Fizzer also has the ability to find the default download location for Kazaa files and copy itself to that folder. It will have a random filename and could easily be mistaken for a media file and downloaded by another Kazaa user.
At its heart, Fizzer is a mass-mailing worm that arrives in users' mailboxes in an e-mail with a random subject line and body text. The attachment containing the worm is an executable file, but has a random name and may also have a random file extension that disguises the fact that it is an executable.
Article located at http://www.eweek.com/article2/0,3959,1079560,00.asp
Symantec Security Response has created a tool to remove W32.HLLW.Fizzer@mm - http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.fizzer.removal.tool.html
Also Known As: W32/Fizzer@MM [McAfee], Win32.Fizzer [CA], W32/Fizzer-A [Sophos], WORM_FIZZER.A [Trend], Fizzer [F-Secure], Win32/Fizzer.A@mm [RAV], I-Worm.Fizzer [KAV]
Type: Worm
Infection Length: 241,664 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux
------------------
Article from eWeek magazine:
The Fizzer worm continued to spread rapidly late Monday afternoon as anti-virus experts raced to analyze the code of what they called one of the more complex worms in recent memory. First seen late last week, Fizzer began spreading in Asia initially but then hit Europe and North American hard Monday as office workers started to open e-mails received over the weekend.
As of 4:30 EDT Monday, MessageLabs Inc., a managed service provider in New York that tracks virus activity, had seen more than 25,000 copies of the worm, making it the fifth-most prevalent virus on the Internet this month.
"This is one of the more complicated worms we've seen", comments Mikko Hypponen, manager of anti-virus research at F-Secure Corp., based in Helsinki, Finland. "The worm is 200kB of code spaghetti, containing backdoors, code droppers, attack agents, key loggers and even a small Web server."
The new worm has several other capabilities that make it particularly troubling and dangerous. Fizzer includes an IRC bot that attempts to connect to a number of different IRC servers and, once it establishes a connection, listens passively for further instructions. This kind of activity is often the precursor to a distributed DoS (denial-of-service) attack. The worm also has the ability to create a new user account on AIM (AOL Instant Messenger), join a chat session and then listen for instructions.
But perhaps the most interesting aspect of Fizzer is the HTTP server it contains. The server runs on a configured TCP port and in effect acts as a command console, according to an analysis of the worm by the AVERT team at McAfee Security, part of Network Associates Inc., in Santa Clara, Calif. The console gives the attacker a wealth of information about the infected system, such as its operating system, connection information, and IRC and AIM data.
The HTTP server also gives the attacker the ability to remotely launch DoS attacks, further propagate the work via e-mail, issue commands to the IRC and AIM bots, and kill anti-virus applications.
The keystroke logger records every typed letter and saves the log in an encrypted file on the infected machine. If the infected PC has the Kazaa file-sharing program installed, Fizzer also has the ability to find the default download location for Kazaa files and copy itself to that folder. It will have a random filename and could easily be mistaken for a media file and downloaded by another Kazaa user.
At its heart, Fizzer is a mass-mailing worm that arrives in users' mailboxes in an e-mail with a random subject line and body text. The attachment containing the worm is an executable file, but has a random name and may also have a random file extension that disguises the fact that it is an executable.
Article located at http://www.eweek.com/article2/0,3959,1079560,00.asp
