Classification

Category: Malware

Type: Worm

Aliases: Aliz, Win32.Aliz, W95/Aliz.a, Peace

Summary


The Aliz worm became widely spread in the end of November 2001. The worm activates automatically while reading an infected email message.

Removal


Aliz worm is relatively easy to disinfect.

  1. If you don't have F-Secure Anti-Virus (FSAV from now on) you can download a trial version from our website: https://www.europe.f-secure.com/download-purchase/
  2. If you already have F-Secure Anti-Virus or if you are using a trial version, please download the latest updates from our website:https://www.europe.f-secure.com/download-purchase/updates.shtml
  3. Download and apply Microsoft's security patch against automatic activation of email attachments: https://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp
  4. Restart your system.
  5. Scan all your hard drives with FSAV.
    • When FSAV detects the Aliz worm in some file, select 'Delete' disinfection action. This will remove the worm's file from your system.
    • VERY IMPORTANT! If FSAV detects an infection in your email database (PST, MDB and other files), DO NOT delete this file or you will loose all your emails. You will need to delete all infected messages from your email database using your email client and then to compact these databases to purge deleted emails. After that FSAV will not find infected message any more.
  6. After disinfection it is recommended to scan your system with FSAV again to ensure that no infected files are left.
Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


Aliz is a very small email worm written in pure Assembly. The worm's file is only 4 kilobytes long and its code is compressed. It can be considered one of the smallest Win32 worms ever created.

When the worm is run, it first unpacks itself and then passes control to API address setup routine. When all needed API addresses are collected, the control is passed to the main worm's code. The worm checks the Registry for the location of Windows Address Book file and loads it into memory. The worm then connects to default SMTP server (for SMTP server info the worm checks Internet Account Manager data in the Registry) and sends itself to all recepients of Windows Address Book. The infected message looks like that:

Subject:   Body:   Attachment: Whatever.exe  

The subject of infected message is randomly composed from 5 (sometimes less) different parts:

Subject:
 Body:
 Attachment: Whatever.exe

For example a subject can be: "Fw: Cool pictures i found !!" or "Nice website to check hehe ;-)".

The message contains a MIME-encoded attachment - the worm's file with 'Whatever.exe' name. The body is an empty multi-part MIME message with HTML formatting and i-frame trick that was previously found in Nimda and Klez worms. Because of this trick on some systems the worm is able to self-launch itself when an infected email is viewed (for example, with Outlook and IE 5.0 or 5.01). To do this the worm uses a known vulnerability in IE that allows execution of an email attachment. This vulnerability is fixed and a patch for it is available on Microsoft site:

https://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp

Some email browsers where i-frame trick doesn't work can show the word 'peace' in infected email message's body.

The worm doesn't install itself to system, it runs, sends itself out and terminates its process in case of errors.

The worm contains the following text strings that are never displayed:

Subject:
 Body:
 Attachment: Whatever.exe

F-Secure Anti-Virus detects Aliz worm since May 2001.