F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Fizzer



THIS VIRUS IS RANKED AS LEVEL 1 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 1

NAME:Fizzer
ALIAS:W32/Fizzer@MM, W32/Fizzer.A, Sparky

F-Secure is upgrading the Fizzer worm to Level 1 as this complex e-mail/p2p worm continues to spread rapidly. It is currently one of the most widespread viruses in the world.

Fizzer is a complex e-mail worm that appeared on May 8, 2003. The worm can spread itself in e-mails and in the Kazaa P2P (peer-to-peer) file-sharing network. The Fizzer worm contains a built-in IRC backdoor, a DoS (Denial of Service) attack tool, a data-stealing Trojan (uses external keylogger DLL), an HTTP server and other components. The worm has the functionality to kill the tasks of certain anti-virus programs. Additionally, the worm has automatic updating capabilities.

The Fizzer worm spreads in e-mails as an attachment with .EXE, .PIF, .SCR and .COM extensions. The worm randomly selects attachment names and message subjects and bodies from its internal lists. It collects e-mail addresses from Windows and Outlook Address Books on an infected computer and from different files on a hard disk.

F-Secure provides a special disinfection tool for the Fizzer worm. See the bottom of the page for more info.


Technical Description

The worm spreads its dropper as an e-mail attachment. When a user activates a dropper, it creates a file called ISERVC.EXE in a temporary folder and activates it. The ISERVC.EXE file is the main component of the worm. It copies itself to the Windows directory with the following names: 

 ISERVC.EXE
 INITBAK.DAT

Then it drops 2 more files in the Windows directory: 

 ISERVC.DLL
 PROGOP.EXE

The ISERVC.DLL file is a key-logging component and the PROGOP.EXE file is a pure dropper code. Before sending itself out, the worm re-assembles its file using this dropper.

The ISERVC.EXE file contains the 'Sparky will reign.' string in its header, as shown in the screenshot:

It should be noted that the worm uses its resource section to store its own text strings and additional files that it drops. This method is very rarely used by malicious programs.

The worm creates a startup key for its main component in System Registry: 

 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
 "SystemInit" = "%windir%\iservc.exe]

where %windir% is the Windows main directory. As a result, the main file of the worm is activated for each Windows session.

Additionally, the worm modifies the text file startup string: 

 [HKEY_CLASSES_ROOT\txtfile\shell\open\command]


 @ = "%windir%\ProgOp.exe 0 7 '%windir%\NOTEPAD.EXE %1'
  '%windir%\initbak.dat' '%windir%\iservc.exe'

where %windir% is the Windows main directory.

The main file of the worm has 5 resources in its body. All resources except the first one are encrypted and compressed. The first resource is only compressed. The structure of the resources is the following: 

 - e-mail address list -
 - progop.exe file     -
 - iservc.dll file     -
 - behaviour script    -
 - text strings        -

The behaviour script contains major settings for the worm, such as its installation name and folder. This script also controls the worm's behaviour in certain conditions. For example, when the date changes the worm logs out from IRC, waits for some time and then logs back in.


Spreading in e-mails

The Fizzer worm collects e-mail addresses from Windows and Outlook Address Books on an infected computer and from different files in personal folders, cookie folders, the recently opened files folder and Internet cache directories.

The worm fakes sender's e-mail address in infected messages. It randomly composes fake addresses from its internal lists which are quite big. The fake sender's e-mail address may contain a name (taken from internal list, for example 'Rebecca'), a random number and one of these domains: 

 msn.com
 hotmail.com
 yahoo.com
 aol.com
 earthlink.net
 gte.net
 juno.com
 netzero.com

The worm sends itself in e-mail messages to all the addresses it finds. The worm randomly selects subjects, bodies and attachment names from its large internal lists. The worm can use the names of innocent files from an infected system's hard disk for its attachment. Attachment extensions can be either .EXE, .PIF, .SCR or .COM. The worm fakes sender's e-mail address. Here is an example of what an infected e-mail message might look like:

Subject: 

 I thought this was interesting...

Body: 

 If you don't like it, just delete it.

Attachment: 

 Jesus123.exe

The worm can also use German strings to compose e-mail messages.


Spreading in Kazaa P2P networks

The worm is capable of spreading itself in Kazaa P2P (peer-to-peer) file sharing networks. The Fizzer worm locates the Kazaa shared folder on an infected computer and copies itself there with random names. Any person who connects to an infected computer and executes files downloaded from its shared folder becomes infected with the worm.


Keylogging trojan

The worm records users' keystrokes and writes them into an ISERVC.KLG file located in the Windows folder. This file can be picked by a hacker, so he can get access to users' login names and passwords as well as to their confidential data.


AOL backdoor

The worm connects to AOL server on port 5190 with a random user name creating a bot. A hacker can establish a connection to the bot and control the behaviour of the worm remotely.


IRC backdoor

The worm tries to connect to different IRC servers and create bots in a certain channels there. The author of the worm can use these bots to get limited access to infected systems. The worm has a long list of IRC servers in its resources. Here are some of the IRC server names that the worm uses: 

 irc.afternet.org
 irc.dal.net
 irc.eu.dal.net
 irc.ablenet.org
 irc.abovenet.org
 irc.accessirc.net
 irc.aceirc.net
 irc.all-defiant.org
 irc.allochat.net
 irc.alphanine.net
 irc.altnet.org
 irc.amcool.net
 irc.amiganet.org
 irc.angeleyez.net
 irc.aniverse.com
 irc.another.net
 irc.arabchat.org
 irc.arabmirc.net
 irc.astrolink.org
 irc.asylum-net.org
 irc.auirc.net
 irc.aurosoniq.net
 irc.auscape.org
 irc.aussiechat.org
 irc.awesomechat.net
 irc.awesomechristians.com
 irc.axenet.org
 irc.aXpi.net
 irc.ayna.org
 irc.azzurra.org
 irc.bahamutirc.net
 irc.bappy.eu.org
 irc.bdsm-net.com
 irc.beyondirc.net


Additional backdoor capabilities

The worm has additional backdoor capabilities. It listens to ports 2018-2021 for commands from a remote host (the hacker's computer). The ports are used for the following purposes:

2018 - command port (sending/receiving commands)

2019 - file port (sending/receiving files)

2020 - console port (remote console)

2021 - video port (capturing video and sending it out)

The worm's author can access these ports with a specially made utility (client program of a backdoor), however the console port can be connected to with a Telnet application. A remote console gives a hacker access to an infected computer as if he was using it locally. Here's how the remote console looks like:

The worm can also start an HTTP server on port 81 to provide additional access to an infected computer. Here's a screenshot of the worm's HTTP server interface:


Payload

The worm has the ability to kill the tasks of certain anti-virus programs. It kills all processes with the following strings in their names: 

 NAV
 SCAN
 AVP
 TASKM
 VIRUS
 F-PROT
 VSHW
 ANTIV
 VSS
 NMAIN

The worm can perform a DoS (Denial of Service) attack if it receives a specific command from a remote hacker.


Autoupdating feature

The worm has the ability to update itself from a web site. It connects to a web site, downloads an update and saves it as UPD.BIN file in the Windows main folder. However, the web site with the updates for the worm is no longer available.


Uninstallation feature

The current variant of the worm can uninstall itself if a file with the following name is found in the Windows main directory: 

 Uninstall.pky

When the worm finds a file with this name, it kills all its tasks and removes its registry keys thus disinfecting a system.


Manual disinfection instructions

To get rid of the worm, it is enough to delete its files from the Windows main directory and from the Kazaa shared folders. Please download and execute the following Registry patch:

ftp://ftp.europe.f-secure.com/anti-virus/tools/fix_fizz.reg

After applying the patch, restart your system. After the restart you can delete the following files from your Windows main directory manually: 

 ISERVC.DLL
 PROGOP.EXE
 ISERVC.EXE
 INITBAK.DAT

If you are using F-Secure Anti-Virus, please scan all you hard disks after restarting your computer. FSAV version 5.40 and later will rename all the files of the Fizzer worm automatically. If you have FSAV 5.31 or an earlier version, please select "Rename" as the disinfection action.


Disinfection tool

F-Secure provides a special disinfection tool for the Fizzer worm. The tool can be downloaded freely from our ftp site:

ftp://ftp.europe.f-secure.com/anti-virus/tools/f-fizzer.zip

Disinfection instructions can be found here:

ftp://ftp.europe.f-secure.com/anti-virus/tools/f-fizzer.txt


Detection

F-Secure Anti-Virus detects Fizzer worm with the updates published on May 9th, 2003:

Version=2003-05-09_03

[Description: F-Secure Anti-Virus Research Team; May 9-15th, 2003]