CRIME Fizzer Worm Characteristics

From: George Heuston (geoneve@private)
Date: Wed May 14 2003 - 09:22:20 PDT

Next message: Todd Ellner: "CRIME Entirely too cool"

Previous message: Brian Varine: "CRIME Wardriver Crisis! Only 6 Weeks of Pringles left!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

NEW YORK STATE OFFICE OF CYBER SECURITY AND CRITICAL INFRASTRUCTURE
COORDINATION CYBER ADVISORY


Subject: OCSCIC Medium level advisory - Fizzer worm

OVERVIEW:
 A new worm called FIZZER has been found which presents a more dangerous
infection because it contains a backdoor and keystroke logger.  All
versions of Microsoft Windows are susceptible. Fizzer is an Internet
worm which spreads through email attachments. The worm will attempt to
disable anti-virus software. It installs a keylogger which saves all
keystrokes to an encrypted file. The worm uses its own engine to either
send its copies to addresses which are extracted from the Outlook and
Windows address books or are randomly generated. Via email, the worm
arrives as a file attachment with a .EXE, .PIF, .COM, or .SCR extension.

--------------------------Specifics
below-------------------------------------------------------------------
--------------------------------------------
 SYSTEMS AFFECTED:
 Microsoft Windows 95, 88, NT, 2000, XP and ME

DESCRIPTION:
 Fizzer is an Internet worm which spreads through email attachments and
via KaZaA and other P2P file-sharing networks.
 - The worm uses its own SMTP engine to either send its copies to
addresses which are extracted from the Outlook and Windows address books
or are randomly generated. Via email, the worm arrives as a file
attachment with a .EXE, .PIF, .COM, or .SCR extension.
 - The worm will attempt to disable anti-virus software.
 - It installs a keylogger which saves all keystrokes to an encrypted
file iservc.klg within the Windows directory.
 - Fizzer can also connect to IRC (Internet Relay Chat) servers and join
channels so that it can perform its backdoor routines.

MITIGATING FACTORS:
 Up-to-date antivirus signatures should protect against this worm

SOLUTION/WORKAROUND:
 Make sure your virus software is up-to-date.

REFERENCES
 SYMANTEC
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.fizzer@
mm.html
 MCAFEE     http://vil.mcafee.com/dispVirus.asp?virus_k=100295
 KASPERSKY  http://www.viruslist.com/eng/index.html?tnews=1008&id=60435
 SOPHOS     http://www.sophos.com/virusinfo/analyses/w32fizzera.html
 NORMAN     http://www.norman.com/virus_info/w32_fizzer_a_mm.shtml
 TREND
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_FIZ
ZER.A

Next message: Todd Ellner: "CRIME Entirely too cool"
Previous message: Brian Varine: "CRIME Wardriver Crisis! Only 6 Weeks of Pringles left!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 14 2003 - 10:26:26 PDT