Skip to main content

Aliz

Classification

Category:Malware
Type:Worm
Platform:W32
Aliases:

Aliz, Win32.Aliz, W95/Aliz.a, Peace

Summary

The Aliz worm became widely spread in the end of November 2001. The worm activates automatically while reading an infected email message.

Removal

Manual action

Aliz worm is relatively easy to disinfect.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Aliz is a very small email worm written in pure Assembly. The worm's file is only 4 kilobytes long and its code is compressed. It can be considered one of the smallest Win32 worms ever created.

When the worm is run, it first unpacks itself and then passes control to API address setup routine. When all needed API addresses are collected, the control is passed to the main worm's code. The worm checks the Registry for the location of Windows Address Book file and loads it into memory. The worm then connects to default SMTP server (for SMTP server info the worm checks Internet Account Manager data in the Registry) and sends itself to all recepients of Windows Address Book. The infected message looks like that:

 Subject: Subject: <randomly composed from several different parts, see below> Body: <empty multi-part MIME message with HTML formatting and i-frame trick> Attachment: Whatever.exe

The subject of infected message is randomly composed from 5 (sometimes less) different parts:

Fw:  Fw: Re:  Cool  Nice  Hot  some  Funny  weird  funky  great  Interesting  many  website  site  pics  urls  pictures  stuff  mp3s  shit  music  info  to check  for you  i found  to see  here  - check it  !!  !  :-)  ?!  hehe ;-)

For example a subject can be: "Fw: Cool pictures i found !!" or "Nice website to check hehe ;-)".

The message contains a MIME-encoded attachment - the worm's file with 'Whatever.exe' name. The body is an empty multi-part MIME message with HTML formatting and i-frame trick that was previously found in Nimda and Klez worms. Because of this trick on some systems the worm is able to self-launch itself when an infected email is viewed (for example, with Outlook and IE 5.0 or 5.01). To do this the worm uses a known vulnerability in IE that allows execution of an email attachment. This vulnerability is fixed and a patch for it is available on Microsoft site:

https://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp

Some email browsers where i-frame trick doesn't work can show the word 'peace' in infected email message's body.

The worm doesn't install itself to system, it runs, sends itself out and terminates its process in case of errors.

The worm contains the following text strings that are never displayed:

:::iworm.alizee.by.mar00n!ikx2oo1:::  while typing this text i realize this text got added on many av  description sites, because this silly worm could be easily a  hype. i wonder which av claims '[companyname] stopped high risk  worm before it could escape!' or shit like that. heh, or they  boycot my virus because of this text. well, it is easy enough  for the poor av's to add this worm; since it was only released  as source in coderz#2... btw, loveletter*2 power in pure win32asm  and only a 4k exe file. heh, vbs kiddies, phear win32asm. :)  thx to: bumblebee!29a, asmodeus!ikx. greets to: starzer0!ikx,  t-2000!ir, ultras!mtx &amp; sweet gigabyte...  btw,burgemeester van sneek: ik zoek nog een baantje...  (alignmentfillingtext)

F-Secure Anti-Virus detects Aliz worm since May 2001.

More Support

Community

Ask questions in our Community.

User guides

Check the user guide for instructions.

Contact Support

Chat with with or call an agent.

Submit a Sample

Submit a file or URL for analysis.