Disinfection instructions for Aliz worm can be found
Aliz worm became widely spread in the end of November 2001. The
worm activates automatically while reading an infected email
Aliz is a very small e-mail worm written in pure Assembly. The
worm's file is only 4 kilobytes long and its code is compressed.
It can be considered one of the smallest Win32 worms ever
When the worm is run, it first unpacks itself and then passes
control to API address setup routine. When all needed API
addresses are collected, the control is passed to the main worm's
code. The worm checks the Registry for the location of Windows
Address Book file and loads it into memory. The worm then
connects to default SMTP server (for SMTP server info the worm
checks Internet Account Manager data in the Registry) and sends
itself to all recepients of Windows Address Book. The infected
message looks like that:
Subject: <randomly composed from several different parts, see below>
Body: <empty multi-part MIME message with HTML formatting and i-frame trick>
The subject of infected message is randomly composed from 5
(sometimes less) different parts:
- check it
For example a subject can be: "Fw: Cool pictures i found !!" or
"Nice website to check hehe ;-)".
The message contains a MIME-encoded attachment - the worm's file
with 'Whatever.exe' name. The body is an empty multi-part MIME
message with HTML formatting and i-frame trick that was
previously found in Nimda and Klez worms. Because of this trick
on some systems the worm is able to self-launch itself when an
infected e-mail is viewed (for example, with Outlook and IE 5.0
or 5.01). To do this the worm uses a known vulnerability in IE
that allows execution of an email attachment. This vulnerability
is fixed and a patch for it is available on Microsoft site:
Some e-mail browsers where i-frame trick doesn't work can show
the word 'peace' in infected e-mail message's body.
The worm doesn't install itself to system, it runs, sends itself
out and terminates its process in case of errors.
The worm contains the following text strings that are never
while typing this text i realize this text got added on many av
description sites, because this silly worm could be easily a
hype. i wonder which av claims '[companyname] stopped high risk
worm before it could escape!' or shit like that. heh, or they
boycot my virus because of this text. well, it is easy enough
for the poor av's to add this worm; since it was only released
as source in coderz#2... btw, loveletter*2 power in pure win32asm
and only a 4k exe file. heh, vbs kiddies, phear win32asm. :)
thx to: bumblebee!29a, asmodeus!ikx. greets to: starzer0!ikx,
t-2000!ir, ultras!mtx & sweet gigabyte...
btw,burgemeester van sneek: ik zoek nog een baantje...
F-Secure Anti-Virus detects Aliz worm since May 2001.
[Analysis: Alexey Podrezov; F-Secure Corp.; November 19th, 2001]