|
A new mass mailing virus, currently labeled "Win32.Fizzer.A" is spreading for the last few days. The payload of this virus contains a few interesting features:
- In addition to e-mail, the virus uses the P2P system Kazaa to spread. - it will try to terminate anti virus scanners. - The virus includes a key stroke logger - In addition to permitting remote control via AOL Instant Messenger or IRC. The IRC component is in particular interesting. It includes a long list of IRC servers. The infected system will join a password protected channel on one of these systems to wait for commands. "Fizzer" attempts to hide its bot-nature in this IRC channel, by using regular looking name. Occasionally, the bots will "chat" by sending a random string to the channel. A summary from an IRC operator's perspective can be found in this mailing list post: http://www.dshield.org/pipermail/list/2003-May/008165.php Counter Measures: Current Anti Virus filters will detect 'Fizzer'. Stripping executable attachments will work as well. Detection: The virus will create the files "iservc.exe" and "initbak.dat" in the infected machine's Windows directory. See the Anti Virus vendor links below for a more complete list. Removal: According to BullGuard antivirus, create an empty file 'UNINSTALL.PKY' in your Windows folder, wait one minute and then delete the file progOp.exe from the Windows folder. More details: http://www.dshield.org/pipermail/list/2003-May/008165.php http://www.bullguard.com/antivirus/vit_fizzer_a.aspx http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.fizzer@mm.html http://vil.mcafee.com/dispVirus.asp?virus_k=100295 http://www.kaspersky.com/news.html?id=977151 http://www.microsoft.com/technet/security/virus/alerts/fizzer.asp -------------------------------------------------------- please send any observations to isc@sans.org |
Handlers 76 Posts May 15th 2003 |
| Thread locked Subscribe |
May 15th 2003 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
