Aliz | |
---|---|
Type | Email worm |
Creator | mar00n |
Date Discovered | 22-MAY-2001 |
Place of Origin | The Netherlands |
Source Language | Assembly |
Platform | MS Windows |
File Type(s) | .exe |
Infection Length | 4,098 bytes |
Reported Costs |
Aliz is a small worm written entirely in Assembly. It is compressed and only weighs in at about 4 kilobytes. It first appeared in the Netherlands in May of 2001, where it had been coded by mar00n of ikx. It is also notable for being one of the few worms to never install itself to the system, staying entirely in memory, somewhat similar to Slammer and Codered.
Behavior
Aliz arrives on a system over email. The subject line contains five parts, each with two or more possible strings chosen randomly.
String 1 | String 2 | String 3 | String 4 | String 5 |
---|---|---|---|---|
Fw: | Cool | website | to check | !! |
Fw: Re: | Nice | site | for you | ! |
Hot | pics | i found | :-) | |
some | urls | to see | ?! | |
Funny | pictures | here hehe | ;-) | |
weird | stuff | - check it | ||
funky | mp3s | |||
great | shit | |||
Interesting | music | |||
many | info |
The message body appears to be empty and the attachment is named "Whatever.exe". The body does contain a multi-part MIME message with HTML formatting and the same i-frame trick in some versions of Outlook Express 5 and Internet Explorer that was exploited by the Nimda and Klez worms. This enables the worm to run by itself from the preview pane. If the browser is not vulnerable to this, it shows the word "peace" in the message body.
Upon execution, Aliz unpacks itself then passes control to API address setup routine. Once it has collected all necessary API addresses, it passes control to the worm's core code. It then checks the Registry for the location of the Windows Address book, then loads it into memory. Aliz then checks the Internet Account Manager data in the Registry and connects to the default SMTP server. It then sends a message with a copy of itself to every address it finds in the address book.
The virus contains the text:
:::iworm.alizee.by.mar00n!ikx2oo1:::
while typing this text i realize this text got added on many av
description sites, because this silly worm could be easily a
hype. i wonder which av claims '[companyname] stopped high risk
worm before it could escape!' or shit like that. heh, or they
boycot my virus because of this text. well, it is easy enough
for the poor av's to add this worm; since it was only released
as source in coderz#2... btw, loveletter*2 power in pure win32asm
and only a 4k exe file. heh, vbs kiddies, phear win32asm. :)
thx to: bumblebee!29a, asmodeus!ikx. greets to: starzer0!ikx,
t-2000!ir, ultras!mtx & sweet gigabyte...
btw,burgemeester van sneek: ik zoek nog een baantje...
The last bit is Dutch for "BTW (by the way?) Mayor of Sneek: I'm looking for another job…". This is probably a reference to the Kournikova worm, created by a Kalamar's worm generator.
Effects
Though appearing as far back as May of 2001, most of the worm's activity was seen in late November of that year. MessageLabs reported blocking the worm 1,849 times on the 22nd of November. It was the 2nd most common worm behind Sircam for that month. By the end of 2001, the worm was still going pretty strong, though showing signs of slowing down and users were still being urged to update their software.
Origin
Aliz was coded by mar00n in May of 2001 in the Netherlands. mar00n's comments in the source code indicate it took two days and was done out of boredom. It is uncertain if mar00n ever released the worm itself in the wild, but the source code was available, probably accounting for how it became virulent months after its existence was known. It appeared in the magazine Coderz.
Name
The author of the virus called it Alizee. Its most popular name with antivirus products was Aliz. Its lesser-used name was Peace because of the message it displayed.
Antivirus Aliases
Avast Win32:Aliz
AVG I-Worm/Aliz
BitDefender Win32.Aliz.A@mm
e-Trust Win32/Aliz
F-Secure Email-Worm.Win32.Aliz
Ikarus Email-Worm.Win32.Aliz
McAfee W32/Aliz@MM(Virus)
Microsoft Win32/Aliz.A@mm
NOD32 (ESET) Win32/Aliz.A
Norton Antivirus W32.Aliz.Worm
Rising Antivirus Worm.Aliz
Trend Micro WORM_ALIZ.A
VirusBuster I-Worm.Aliz.A
Sources
VX Underground. Github, Aliz source code.
F-Secure, Aliz.
Eset Magyar, ALIZ.A.
John Leyden. The Register, Aliz worm turns, bites Windows users. 23-NOV-2001
Maarten Reijnders. Webwereld, NEDERLANDSE WORM NA MAANDEN OPEENS ACTIEF. 24-NOV-2001
Luigi Callegari. 01Net.it, Aliz, il virus che si propaga anche senza aprire allegati. 20-DEC-2001
McAfee Security, Internet Threats Today and Tomorrow.