The Fizzer worm was discovered on May 8, '03 and is now
one of of the most common malware.
Fizzer is a mass-mailer that has multiple plug-ins.
- It contains a backdoor that communicates through mIRC,
to alert a remote hacker of its presence on a particular
machine
- It has a keylogger that captures the keying of sensitive
data, such as user-name and password pairs, logs them
to a file, and can transmit them on request
- It attempts to spread through the Kazaa file-sharing
network
- It deactivates background anti-virus protection by
terminating their processes
Distribution: Fizzer drops the file ISERVC.EXE
to the windows folder. Fizzer spreads as an e-mail attachment,
using COM, EXE, PIF, or SCR as extension. On an infected
computer, Fizzer will locate the KaZaA shared folder, replace
files with itself, and modify the extension name of the
replaced files by adding to their name an executable second
suffix. For example, an MP3 file will change to MP3.EXE,
to deceit an unaware downloader.
Fizzer will install when the infected e-mail attachment
is opened, or by attempting to play the bogus Kazaa download.
Fizzer will then copy itself as Iservc.exe to Windows, and
attempt to install itself to the startup queue. Both attempts
are intercepted by InVircible and reverted, failing Fizzer
to install.
Back
