copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » AusCERT N... » AL-2003.07 -- "Fizzer" Worm Increased Activity
 

AL-2003.07 -- "Fizzer" Worm Increased Activity
Date: 13 May 2003

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T
                                      
                        AL-2003.07 -- AUSCERT ALERT
                     "Fizzer" Worm Increased Activity
                                13 May 2003

===========================================================================

AusCERT is currently monitoring a malicious new email worm. Dubbed
"Fizzer", this virus spreads via e-mail and the Kazaa peer-to-peer
filesharing network. Although this program has been in existence since 7
May, the rate of infection has recently increased, with major anti-virus
vendors rating its severity as high.

"Fizzer" has several attack vectors including the installation of
backdoors for IRC and other protocols, a DoS (Denial of Service) attack
tool and a keylogging trojan that captures user passwords and other
information to a local file for later use by an attacker. Similar to other
advanced worms, this program also has an auto-updating capability.
Additionally, it attempts to halt anti-virus processes on an infected
machine.

Infected email messages will have the worm attached with any of .exe,
.pif, .scr and .com extensions. The attachment name is created at random.
E-mail addresses are collected by the worm from the Microsoft Windows and
Outlook address books and from other files containing addresses that the
worm is able to find on an infected machine.

The subject line of an infected message is chosen at random from a list which
includes both english and german phrases. See the links below for a complete
list of possible subject lines.

The body of and infected message is also chosen at random. It can be one of
the following:

        o I sent this program (Sparky) from anonymous places on the net. 
        o The way to gain a good reputation is to endeavor to be what you
          desire to appear. 
        o There is only one good, knowledge, and one evil, ignorance. 
        o Watchin' the game, having a bud. 
        o Did you ever stop to think that viruses are good for the economy?
          Maybe the primary creators of the world's worst viruses are the
          companies that make the Anti-Virus software. 
        o Today is a good day to die... 
        o so, how are you? 
        o the attachment is only for you to look at 
        o you must not show this to anyone... 
        o delete this as soon as you look at it... 
        o Let me know what you think of this... 
        o If you don't like it, just delete it. 
        o thought I'd let you know 
        o you don't have to if you don't want to. 

AusCERT advises users to follow as many of the following steps as
practicable for their situation:

        o Install security related patches for vulnerable operating
          systems and software.

        o Install and maintain current anti-virus software.

        o Block unneeded services, ports, and protocols at the border
          internet gateway.

        o Install host-based firewall software, preferably with the
          ability to provide MD5 or similar checksums against applications
          which request communication channels.

More information about the "Fizzer" worm is available from these sites:

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.fizzer@mm.html
http://www.f-secure.com/v-descs/fizzer.shtml
http://vil.mcafee.com/dispVirus.asp?virus_k=100295
http://www.messagelabs.com/viruseye/info/default.asp?virusname=W32/Fizzer.A
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_FIZZER.A&V
Sect=T
http://www3.ca.com/virusinfo/virus.aspx?ID=35131
- ---------------------------------------------------------------------------

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this
document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Email:   auscert@auscert.org.au
Web:     www.auscert.org.au

Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBPsCbUyh9+71yA2DNAQFw7gP/d0DR2Fg6zN4VkskWMK2TQla7fxvjRi7u
OpcOWvgPg8fpVCfnNqOKBUfW2kdllcDOlWjltn0KLw7VUGgmTPPZWLxcrHBuiUMx
hF+YIZVhccLr4m6ZY8sUhZCQewxQwBbDZnJLIZCLyjlhIBv3nZNo6We0QSupzFRf
oe6KwQSeKKk=
=mo+w
-----END PGP SIGNATURE-----


Comments? Click here http://www.auscert.org.au/render.html?cid=2998&it=3097