My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Fizzer.A@mm

HIGH
MEDIUM
In the range 170...250 Kbytes
(W32/Fizzer-A, I-Worm.Fizzer, W32.HLLW.Fizzer@mm, W32/Fizzer@MM)

Symptoms

  • Presence of next files in Windows folder:
    iservc.exe
    initbak.dat
    progOp.exe
    iservc.dll

  • Presence of registry keys:
    HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemInit="%WINDOWS%\iservc.exe"
    HKEY_CLASSES_ROOT\txtfile\shell\open\command = "%WINDOWS%\ProgOp.exe 0 7 ' %1'"
    where %WINDOWS% points to Windows folder
  • Removal instructions:

    The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

    Important: You will have to close all applications before running the
    tool (including the antivirus shields) and to restart the computer afterwards.
    Additionally you'll have to manually delete the infected files located in archives
    and the infected messages from your mail client.


    The BitDefender Antifizzer tool does the following:
  • it deletes the files created by the virus;

  • it disinfects the files infected by the virus;

  • it kills the process from memory;

  • it repairs the Windows registry.


  • You may also need to restore the affected files.

    Analyzed By

    Patrik Vicol BitDefender Virus Researcher

    Technical Description:

    This mass mailer can spread through e-mail and Kazaa, has backdoor and keylogger abilities. The backdoor component uses Mirc and AIM (AOL Instant Messenger) thus allowing the author to issue commands on the victim's computer.

    Usually, this virus arrives via e-mails that have attachments with the next extensions:
    EXE, PIF, COM, SCR

    The e-mail is constructed (subject, body) from various strings and may contain one of the following:

    I thought this was interesting...
    rather psychedelic...
    found this on the net, you might like it...
    discotheque
    imbrue
    Damn it feels good to be gangsta.
    The way I feel - Remy Shand
    Paradigm Shift
    WASSUP!
    Know Thyself
    Hell
    I love you
    Please discard if you don't like or agree with our present leadership...
    little popup remover
    B cannot remember
    Yo, WASSUP, B?
    an interesting program...
    You might not appreciate this...
    I think you might find this amusing...
    LOL
    check this out... hehehe
    question...
    see you tomorrow.
    how are you?
    you need to lose weight.
    why?
    kind of simple, but fun nonetheless.
    check it out.
    I sent this program (Sparky) from anonymous places on the net.
    The way to gain a good reputation is to endeavor to be what you desire to appear.
    There is only one good, knowledge, and one evil, ignorance.
    Watchin' the game, having a bud.
    Did you ever stop to think that viruses are good for the economy? Maybe the primary creators of the world's worst viruses are the companies that make the Anti-Virus software.
    Today is a good day to die...
    so, how are you?
    the attachment is only for you to look at
    you must not show this to anyone...
    delete this as soon as you look at it...
    Let me know what you think of this...
    If you don't like it, just delete it.
    thought I'd let you know
    you don't have to if you don\'t want to.


    Once run, the virus attempts to terminate processes whose names contain:
    NAV, SCAN, AVP, TASKM, VIRUS, F-PROT, VSHW, ANTIV, VSS, NMAIN

    It creates SparkyMutex mutex in order to allow only one instance of itself in memory.

    It harvests e-mail addresses from the Windows Address Book, Cookies, Internet Temporary Files folder, and also My Documents folder, and stores them in data1-2.cab file in Windows folder. It uses the default configured MAPI program to send itself to the harvested e-mail addresses.

    The mass-mailer uses a specific configuratin file, in which it stores all its information. The virus uses an engine, Sparky, that could be updated (originally via an internet address).

    The keylogger component (iservc.dll) will save captured keystrokes to file iservc.klg or to a backup file, wavckb.dlb, located in Windows folder.

    It has backdoor abilities, and attempts to randomly connect to one of the following irc servers, to a password protected channel, (using a random nick) where the author can issue commands on the infected computer:
    irc.afternet.org
    irc.dal.net
    irc.eu.dal.net
    irc.ablenet.org
    irc.abovenet.org
    irc.accessirc.net
    irc.aceirc.net
    irc.all-defiant.org
    irc.allochat.net
    irc.alphanine.net
    irc.altnet.org
    irc.amcool.net
    irc.amiganet.org
    irc.angeleyez.net
    irc.aniverse.com
    irc.another.net
    irc.arabchat.org
    irc.arabmirc.net
    irc.astrolink.org
    irc.asylum-net.org
    irc.auirc.net
    irc.aurosoniq.net
    irc.auscape.org
    irc.aussiechat.org
    irc.awesomechat.net
    irc.awesomechristians.com
    irc.axenet.org
    irc.aXpi.net
    irc.ayna.org
    irc.azzurra.org
    irc.bahamutirc.net
    irc.bappy.eu.org
    irc.bdsm-net.com
    irc.beyondirc.net
    irc.bgirc.net
    irc.biggheybear.co.uk
    irc.blabber.net
    irc.blitzed.org
    irc.blueshadownet.org
    irc.bolchat.org
    irc.brasirc.net
    irc.libnet.com.br
    irc.brasnerd.com.br
    irc.bubblenet.org
    irc.bunker7.net
    irc.carpenoctum.org
    irc.chaosirc.net
    irc.chat-net.org
    irc.chat-solutions.org
    irc.chat4all.org
    irc.chatcafe.net
    irc.chatchannel.org
    irc.chatcircuit.com
    irc.chatempire.net
    irc.chatlands.org
    irc.chatlink.org
    irc.chatnut.net
    irc.chatpr.org
    irc.chatster.org
    irc.chatworlds.net
    irc.chatx.net
    irc.263.net
    irc.cineplex1.com
    irc.coolchat.net
    irc.criten.net
    irc.cyberarmy.com
    irc.cyberchat.org
    irc.cyga.net
    irc.dark-storm.net
    irc.d-t-net.de
    irc.darkfalls.net
    irc.darkfire.net
    irc.darklitany.com
    irc.darkmyst.org
    irc.darksystem.com
    irc.darktree.net
    irc.deepspace.org
    irc.diboo.net
    irc.different.net
    irc.digarix.net
    irc.digatech.net
    irc.digitalirc.net
    irc.discussioni.org
    irc.doruk.net.tr
    irc.draxnet.org
    irc.dreamirc.com
    irc.dwarfstar.net
    irc.dwchat.net
    irc.dynastynet.net
    irc.earthlights.net
    irc.easychatuk.com
    irc.inter.net.il
    irc.mpls.ca
    irc.qeast.net
    irc.inet.tele.dk
    irc.isdnet.fr
    irc.homelien.no
    irc.daxnet.no
    irc.efnet.pl
    irc.rt.ru
    irc.du.se
    irc.hemmet.chalmers.se
    irc.easynews.com
    irc.concentric.net
    irc.prison.net
    irc.mindspring.com
    irc.umn.edu
    irc.flamed.net
    ircd.lagged.org
    irc.secsup.uu.net
    irc.weblook2k.com
    irc.eleethal.com
    irc.enterthegame.com
    irc.epiknet.org
    irc.esper.net
    irc.euirc.net
    irc.exodusirc.net
    irc.fdfnet.net
    irc.fef.net
    irc.financialchat.com
    irc.fiznet.net
    irc.forestnet.org
    irc.foreverchat.net
    irc.freedomirc.net
    irc.fuelie.net
    irc.funnet.org
    irc.galaxynet.org
    irc.gameslink.net
    irc.gammaforce.org
    irc.german-elite.net
    irc.german-freakz.net
    irc.globalchat.org
    irc.goldchat.nl
    irc.goodchatting.com
    irc.gulfchat.net
    irc.habber.net
    irc.hanirc.org
    irc.mirc.gr
    irc.hells.ca
    irc.hinet.net
    irc.ice-inferno.com
    irc.iceblaze.net
    irc.icechat.org
    irc.icenet.org.za
    irc.idigital-web.com
    irc.infatech.net
    irc.infomatrix.net
    irc.cl
    irc.irc-hispano.org
    irc.irc-solution.net
    irc.ircchat.tk
    irc.ircee.com
    irc.irchat.net
    irc.ircitalia.net
    irc.ircmalta.org
    irc.fr.ircnet.net
    irc.ircd.it
    ircnet.netvision.net.il
    irc.tokyo.wide.ad.jp
    irc.seed.net.tw
    irc.belnet.be
    ircnet.wanadoo.be
    irc.felk.cvut.cz
    irc.ircnet.dk
    irc.estpak.ee
    irc.cs.hut.fi
    irc.ee.auth.gr
    irc.elte.hu
    irc.ircnet.is
    irc.simnet.is
    irc.tin.it
    irc.nl.uu.net
    irc.xs4all.nl
    irc.snt.utwente.nl
    irc.sci.kun.nl
    irc.ifi.uio.no
    irc.pvv.ntnu.no
    irc.msu.ru
    irc.ludd.luth.se
    ircnet.demon.co.uk
    ircnet.easynet.co.uk
    irc.stealth.net
    irc.ircplanet.org
    irc.icq.com
    irc.irctoo.net
    irc.irctown.net
    irc.ircworld.org
    irczone.cl
    irc.kampungchat.org
    irc.kdfs.net
    irc.kemik.net
    irc.kickchat.com
    irc.kidsworld.org
    irc.konfido.net
    irc.krey.net
    irc.krono.net
    irc.krushnet.org
    irc.lagnet.org.za
    irc.langochat.net
    irc.ldsirc.net
    irc.librenet.net
    irc.linkbr.com.br
    irc.link-net.org
    irc.liquidized.net
    irc.lockchat.net
    irc.m-sys.org
    irc.macron.co.il
    irc.magicstar.net
    irc.malnet.org
    irc.mavra.net
    irc.memphisnet.org
    irc.mircx.com
    irc.mistrider.net
    irc.muhabbet.net
    irc.musirc.com
    irc.mynetpal.org
    irc.mysteria.net
    irc.mystical.net
    irc.narancs.com
    irc.neoxys.org
    irc.net-france.com
    irc.netgamers.org
    irc.nevernet.net
    irc.newnet.net
    irc.nexusirc.org
    irc.nightstar.net
    irc.nitrousnet.net
    irc.novernet.com
    irc.nullus.net
    irc.openprojects.net
    irc.othernet.org
    irc.othersideirc.net
    irc.outsiderz.com
    irc.overgun.net
    irc.oz.org
    irc.p2pchat.org
    irc.peacefulhaven.net
    irc.phazenet.com
    irc.phrozn.net
    irc.ircnet.pl
    irc.prochat.org
    irc.ptlink.net
    irc.ptnet.org
    irc.ptworld.org
    irc.qchat.net
    irc.quakenet.eu.org
    irc.quazie.net
    irc.quicknet.nl
    irc.realirc.org
    irc.realmnet.com
    irc.rebelchat.org
    irc.red-latina.org
    irc.redlatona.net
    irc.relic.net
    irc.renegadeirc.net
    irc.rezosup.org
    irc.risanet.com
    irc.rubiks.net
    irc.tsk.ru
    irc.sandnet.net
    irc.scunc.net
    irc.serbiancafe.ws
    irc.serenia.net
    irc.serv.co.il
    irc.sexnet.org
    irc.shadowfire.org
    irc.shadowworld.net
    irc.slashnet.org
    irc.sorcery.net
    irc.spacetronix.net
    irc.spirit-harmony.com
    irc.starchat.net
    irc.starlink-irc.org
    irc.starlink.org
    irc.starwars-irc.net
    irc.stormdancing.net
    irc.tech-chat.net
    irc.telstra.com
    irc.tlcgraphic.com
    irc.tni3.com
    irc.touch.net.gr
    irc.teklan.com.tr
    irc.tri-net.org
    irc.twyster.net
    irc.uberninja.net
    irc.uicn.net
    irc.uk-net.org
    irc.ultrairc.net
    irc.underz.org
    irc.unibrasil.org
    irc.unionlatina.org
    irc.univers.org
    irc.usachat.net
    irc.voila.fr
    irc.wakenet.org
    irc.warped.net
    irc.watnet.org
    irc.weaklinks.net
    irc.webchat.org
    irc.whatnet.org
    irc.winchat.net
    irc.worldirc.org
    irc.wyldryde.net
    irc.xchat.gr
    irc.xentonix.net
    irc.xevion.net
    irc.xnet.org
    irc.xworld.org
    irc.zanet.net
    irc.zerolimit.net
    irc.zirc.org
    irc.zuh.net
    irc.zurna.net