Win32.Fizzer.A@mm( W32/Fizzer-A, I-Worm.Fizzer, W32.HLLW.Fizzer@mm, W32/Fizzer@MM )
SYMPTOMS: iservc.exe initbak.dat progOp.exe iservc.dll HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemInit="%WINDOWS%\iservc.exe" HKEY_CLASSES_ROOT\txtfile\shell\open\command = "%WINDOWS%\ProgOp.exe 0 7 ' %1'" where %WINDOWS% points to Windows folder TECHNICAL DESCRIPTION: This mass mailer can spread through e-mail and Kazaa, has backdoor and keylogger abilities. The backdoor component uses Mirc and AIM (AOL Instant Messenger) thus allowing the author to issue commands on the victim's computer.Usually, this virus arrives via e-mails that have attachments with the next extensions: EXE, PIF, COM, SCR The e-mail is constructed (subject, body) from various strings and may contain one of the following: I thought this was interesting... rather psychedelic... found this on the net, you might like it... discotheque imbrue Damn it feels good to be gangsta. The way I feel - Remy Shand Paradigm Shift WASSUP! Know Thyself Hell I love you Please discard if you don't like or agree with our present leadership... little popup remover B cannot remember Yo, WASSUP, B? an interesting program... You might not appreciate this... I think you might find this amusing... LOL check this out... hehehe question... see you tomorrow. how are you? you need to lose weight. why? kind of simple, but fun nonetheless. check it out. I sent this program (Sparky) from anonymous places on the net. The way to gain a good reputation is to endeavor to be what you desire to appear. There is only one good, knowledge, and one evil, ignorance. Watchin' the game, having a bud. Did you ever stop to think that viruses are good for the economy? Maybe the primary creators of the world's worst viruses are the companies that make the Anti-Virus software. Today is a good day to die... so, how are you? the attachment is only for you to look at you must not show this to anyone... delete this as soon as you look at it... Let me know what you think of this... If you don't like it, just delete it. thought I'd let you know you don't have to if you don\'t want to. Once run, the virus attempts to terminate processes whose names contain: NAV, SCAN, AVP, TASKM, VIRUS, F-PROT, VSHW, ANTIV, VSS, NMAIN It creates SparkyMutex mutex in order to allow only one instance of itself in memory. It harvests e-mail addresses from the Windows Address Book, Cookies, Internet Temporary Files folder, and also My Documents folder, and stores them in data1-2.cab file in Windows folder. It uses the default configured MAPI program to send itself to the harvested e-mail addresses. The mass-mailer uses a specific configuratin file, in which it stores all its information. The virus uses an engine, Sparky, that could be updated (originally via an internet address). The keylogger component (iservc.dll) will save captured keystrokes to file iservc.klg or to a backup file, wavckb.dlb, located in Windows folder. It has backdoor abilities, and attempts to randomly connect to one of the following irc servers, to a password protected channel, (using a random nick) where the author can issue commands on the infected computer: irc.afternet.org irc.dal.net irc.eu.dal.net irc.ablenet.org irc.abovenet.org irc.accessirc.net irc.aceirc.net irc.all-defiant.org irc.allochat.net irc.alphanine.net irc.altnet.org irc.amcool.net irc.amiganet.org irc.angeleyez.net irc.aniverse.com irc.another.net irc.arabchat.org irc.arabmirc.net irc.astrolink.org irc.asylum-net.org irc.auirc.net irc.aurosoniq.net irc.auscape.org irc.aussiechat.org irc.awesomechat.net irc.awesomechristians.com irc.axenet.org irc.aXpi.net irc.ayna.org irc.azzurra.org irc.bahamutirc.net irc.bappy.eu.org irc.bdsm-net.com irc.beyondirc.net irc.bgirc.net irc.biggheybear.co.uk irc.blabber.net irc.blitzed.org irc.blueshadownet.org irc.bolchat.org irc.brasirc.net irc.libnet.com.br irc.brasnerd.com.br irc.bubblenet.org irc.bunker7.net irc.carpenoctum.org irc.chaosirc.net irc.chat-net.org irc.chat-solutions.org irc.chat4all.org irc.chatcafe.net irc.chatchannel.org irc.chatcircuit.com irc.chatempire.net irc.chatlands.org irc.chatlink.org irc.chatnut.net irc.chatpr.org irc.chatster.org irc.chatworlds.net irc.chatx.net irc.263.net irc.cineplex1.com irc.coolchat.net irc.criten.net irc.cyberarmy.com irc.cyberchat.org irc.cyga.net irc.dark-storm.net irc.d-t-net.de irc.darkfalls.net irc.darkfire.net irc.darklitany.com irc.darkmyst.org irc.darksystem.com irc.darktree.net irc.deepspace.org irc.diboo.net irc.different.net irc.digarix.net irc.digatech.net irc.digitalirc.net irc.discussioni.org irc.doruk.net.tr irc.draxnet.org irc.dreamirc.com irc.dwarfstar.net irc.dwchat.net irc.dynastynet.net irc.earthlights.net irc.easychatuk.com irc.inter.net.il irc.mpls.ca irc.qeast.net irc.inet.tele.dk irc.isdnet.fr irc.homelien.no irc.daxnet.no irc.efnet.pl irc.rt.ru irc.du.se irc.hemmet.chalmers.se irc.easynews.com irc.concentric.net irc.prison.net irc.mindspring.com irc.umn.edu irc.flamed.net ircd.lagged.org irc.secsup.uu.net irc.weblook2k.com irc.eleethal.com irc.enterthegame.com irc.epiknet.org irc.esper.net irc.euirc.net irc.exodusirc.net irc.fdfnet.net irc.fef.net irc.financialchat.com irc.fiznet.net irc.forestnet.org irc.foreverchat.net irc.freedomirc.net irc.fuelie.net irc.funnet.org irc.galaxynet.org irc.gameslink.net irc.gammaforce.org irc.german-elite.net irc.german-freakz.net irc.globalchat.org irc.goldchat.nl irc.goodchatting.com irc.gulfchat.net irc.habber.net irc.hanirc.org irc.mirc.gr irc.hells.ca irc.hinet.net irc.ice-inferno.com irc.iceblaze.net irc.icechat.org irc.icenet.org.za irc.idigital-web.com irc.infatech.net irc.infomatrix.net irc.cl irc.irc-hispano.org irc.irc-solution.net irc.ircchat.tk irc.ircee.com irc.irchat.net irc.ircitalia.net irc.ircmalta.org irc.fr.ircnet.net irc.ircd.it ircnet.netvision.net.il irc.tokyo.wide.ad.jp irc.seed.net.tw irc.belnet.be ircnet.wanadoo.be irc.felk.cvut.cz irc.ircnet.dk irc.estpak.ee irc.cs.hut.fi irc.ee.auth.gr irc.elte.hu irc.ircnet.is irc.simnet.is irc.tin.it irc.nl.uu.net irc.xs4all.nl irc.snt.utwente.nl irc.sci.kun.nl irc.ifi.uio.no irc.pvv.ntnu.no irc.msu.ru irc.ludd.luth.se ircnet.demon.co.uk ircnet.easynet.co.uk irc.stealth.net irc.ircplanet.org irc.icq.com irc.irctoo.net irc.irctown.net irc.ircworld.org irczone.cl irc.kampungchat.org irc.kdfs.net irc.kemik.net irc.kickchat.com irc.kidsworld.org irc.konfido.net irc.krey.net irc.krono.net irc.krushnet.org irc.lagnet.org.za irc.langochat.net irc.ldsirc.net irc.librenet.net irc.linkbr.com.br irc.link-net.org irc.liquidized.net irc.lockchat.net irc.m-sys.org irc.macron.co.il irc.magicstar.net irc.malnet.org irc.mavra.net irc.memphisnet.org irc.mircx.com irc.mistrider.net irc.muhabbet.net irc.musirc.com irc.mynetpal.org irc.mysteria.net irc.mystical.net irc.narancs.com irc.neoxys.org irc.net-france.com irc.netgamers.org irc.nevernet.net irc.newnet.net irc.nexusirc.org irc.nightstar.net irc.nitrousnet.net irc.novernet.com irc.nullus.net irc.openprojects.net irc.othernet.org irc.othersideirc.net irc.outsiderz.com irc.overgun.net irc.oz.org irc.p2pchat.org irc.peacefulhaven.net irc.phazenet.com irc.phrozn.net irc.ircnet.pl irc.prochat.org irc.ptlink.net irc.ptnet.org irc.ptworld.org irc.qchat.net irc.quakenet.eu.org irc.quazie.net irc.quicknet.nl irc.realirc.org irc.realmnet.com irc.rebelchat.org irc.red-latina.org irc.redlatona.net irc.relic.net irc.renegadeirc.net irc.rezosup.org irc.risanet.com irc.rubiks.net irc.tsk.ru irc.sandnet.net irc.scunc.net irc.serbiancafe.ws irc.serenia.net irc.serv.co.il irc.sexnet.org irc.shadowfire.org irc.shadowworld.net irc.slashnet.org irc.sorcery.net irc.spacetronix.net irc.spirit-harmony.com irc.starchat.net irc.starlink-irc.org irc.starlink.org irc.starwars-irc.net irc.stormdancing.net irc.tech-chat.net irc.telstra.com irc.tlcgraphic.com irc.tni3.com irc.touch.net.gr irc.teklan.com.tr irc.tri-net.org irc.twyster.net irc.uberninja.net irc.uicn.net irc.uk-net.org irc.ultrairc.net irc.underz.org irc.unibrasil.org irc.unionlatina.org irc.univers.org irc.usachat.net irc.voila.fr irc.wakenet.org irc.warped.net irc.watnet.org irc.weaklinks.net irc.webchat.org irc.whatnet.org irc.winchat.net irc.worldirc.org irc.wyldryde.net irc.xchat.gr irc.xentonix.net irc.xevion.net irc.xnet.org irc.xworld.org irc.zanet.net irc.zerolimit.net irc.zirc.org irc.zuh.net irc.zurna.net Removal instructions: The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client. The BitDefender Antifizzer tool does the following: You may also need to restore the affected files. ANALYZED BY: Patrik Vicol BitDefender Virus Researcher |