Fizzer - A Multi-threat Worm That Attacks Via E-mail and KaZaA
12 May 2003
Kaspersky Lab, an international data security software developer, announces the detection of the new Internet worm "Fizzer". In addition to e-mail, "Fizzer" spreads via the KaZaA P2P file-sharing network, and employs sneaky and dangerous tactics such as a 'key logger' and a trojan program that allows remote management of infected computers.
Kaspersky Lab is already receiving confirmed incidence reports of "Fizzer" infections.
"Fizzer" is a classic network worm that propagates across the Internet. It arrives to the target computers as an executable file and activates when a user launches it. Once this happens "Fizzer" creates 5 additional files and modifies the Windows registry auto-run section so that the worm loads each time the operating system is started.
Distinctive, though certainly not a unique characteristic of this worm is its multiple treat construction: the worm is equally effective at spreading itself via both e-mail and the KaZaA file-sharing network.
To send itself out via e-mail, "Fizzer" scans the addresses in a victim's Outlook and Windows address books or it randomly attacks e-mail addresses in public e-mail systems such as hotmail.com and yahoo.com. Next, the worm, in the name of the computer owner, clandestinely sends out infected messages using different subjects, message texts and file attachment names. For example:
: Re: I think you might find this amusing...Attached file
: Logan6.exeMessage text
: Let me know what you think of this...
To spread via KaZaA, "Fizzer" creates multiple copies of itself under random names, and places these files in the victim computer's dedicated KaZaA file-sharing folder, if in fact this directory exists. By doing so, "Fizzer" becomes "available" to all other network participants.
"Fizzer" carries a dangerous payload that can cause confidential data to be leaked from infected computers. The worm installs a keyboard-logging program that intercepts and records all keyboard strokes in a separate log file. To transmit this information as well as other sensitive data from victim machines, "Fizzer" implements a backdoor utility (a utility making possible unauthorized, remote control of victim computers) that allows the worm's "master" to undetectably control a computer via IRC channels as well as via HTTP and Telnet protocols. Additionally, the worm regularly connects with Web page located on the Geocities server from which it attempts to download updated version of its executable modules. Finally, to avert being detected, "Fizzer" scans the memory of victim computers and shuts down the active processes of an array of the most widely used anti-virus programs.
The defense against "Fizzer" has already been added to the Kaspersky Lab anti-virus databases.
A more detailed explanation for this malicious program is available in the Kaspersky Virus Encyclopedia