Fizzer
Fizzer
Type Multi-vector worm
Creator
Date Discovered 2003.05.08
Place of Origin
Source Language
Platform MS Windows
File Type(s) .com, .exe, .pif, .scr
Infection Length
Reported Costs

Fizzer is a multiple vector worm that topped virus/worm charts in 2003. It was comparable to Nimda in a few ways, as it "infected" files like a virus and had more than one way of spreading.

Table of Contents

Behavior

Fizzer can arrive in an email or through a KaZaA share folder. In an email, it may have one of several subject lines, which may be in English, French or German. The message bodies are short and all in English. The attachment will have a randomly generated name with a .com, .exe, pif or .scr extension.

Fizzer.png
 The Fizzer icon

When Fizzer is executed, it copies itself to the Windows folder under the names iservc.exe and initbak.dat. It also creates several other files in that directory: ProgOp.exe, iservc.dll, data1-2.cab, iservc.dat, Uninstall.pky and upd.bin. It adds iservc.exe to the local machine run key so it will run when the computer is started. It also sets the registry key to run both ProgOp.exe and iservc.exe every time a text file is opened.

Fizzer creates a mutex named SparkyMutex to ensure only one instance of the worm runs on the machine. It shuts off any processes with the following strings in their names to make sure it cannot be detected: NAV, SCAN, AVP, TASKM, VIRUS, F-PROT, VSHW, ANTIV, VSS and NMAIN. It logs all keystrokes and saves them to the encrypted file iservc.klg in the Windows folder. It can get updates, but the Geocities sites it uses are now unavailable.

It has several features that make it useful to a cracker as a backdoor. It connects to the following IRC servers to wait for commands: irc.awesomechat.net, irc.blueshadownet.org, irc.chatlands.org, irc.darkmyst.org, irc.hemmet.chalmers.se, irc.exodusirc.net and irc.mirc.gr. It connects to an AOL Instant Messenger chat room under a randomly created name to listen for commands. It runs as an HTTP server on port 81 and uses ports 2018, 2019, 2020, and 2021 for additional backdoor functionality.

Fizzer looks for the KaZaA share folder and infects files there, including non-executables like MP3's. It compresses the original files, then copies itself to their location, adding an .exe extension. It then adds the compressed original file as a resource in the worm.

It looks for email addresses in the Windows Address Book, cookies, Internet Explorer temporary files and any file in the user folder. The worm will send a copy of itself to every address it finds. The sender line may be spoofed.

Effects

Fizzer topped the viral charts for May of 2003, taking the place of the then-popular Klez.E. MessageLabs blocked 497,846 copies of Fizzer in that month. Most infections were in China and Hong Kong, but the worm was seen in Europe and the United States. Although it was prolific, it did little damage. It had no deliberately damaging payload. Its spreading ability was inhibited by the fact that it required user interaction.

Sources

Yana Liu. Symantec, W32.HLLW.Fizzer@mm. 2007.02.13

John Leyden. The Register, Fizzer blasts Klez-H off top spot in viral charts. 2003.05.30

Thomas C Greene. The Register, Fizzer worm more interesting than harmful. 2003.05.20

F-Secure Raises Fizzer Worm Alert to Level-1; E-mail Worm Becomes One of the Most Widespread Viruses Currently in Circulation. 2003.05.12

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License