Fizzer worm spreads across the Internet
A very clever mass-mailing worm is spreading rapidly across the Internet. Fizzer (w32.fizzer@mm) has many different components, each timed to trigger different processes, making it quite difficult to contain.
The worm spreads via e-mail and includes its own SMTP engine to bypass any security your e-mail client may have. Fizzer also spreads via Kazaa, a popular file-sharing application.
The worm establishes its own accounts on Internet Relay Chat (IRC) and AOL Instant Messenger, in order to await further instructions from the virus author.
Fizzer attempts to disable any antivirus program running at the time of infection. Systems infected with Fizzer could be used in distributed denial-of-service (DDoS) attacks on other computers.
Fizzer includes a keystroke-logging Trojan horse, which can be used to steal passwords words and credit card information.
Because Fizzer spreads via e-mail and Kazaa, contains a keystroke-logging Trojan horse, and could be used in a DDoS attack, this worm rates a 7 on the ZDNet Virus Meter.
How it works
Fizzer arrives as e-mail with several possible subject lines and body texts. The From: address can be forged and therefore should not be trusted. Fizzer's attached files contain one of the following extensions: .com, .exe, .pif and .scr.
If a user opens the attached file or otherwise activates the worm, three files are added to the Windows directory:
initbak.dat, which is a copy of the worm
iservc.exe, which is a copy of the worm
progop.exe
iservc.dll, which contains the keystroke logging Trojan
According to McAfee, Fizzer modifies the system Registry in the following ways:
Hkey_local_machine\Software\Microsoft\Windows\CurrentVersion\ Run "SystemInit" = C:\Windows\iservc.exe
Hkey_classes_root\txtfile\shell\open\command "(Default)" = C:\Windows\progop.exe 0 7 'C:\Windows\Notepad.exe %1' 'C:\Windows\initbak.dat' 'C:\Windows\iservc.exe'
Hkey_classes_root\Applications\progop.exe
On Windows NT, 2000, and XP systems, Fizzer also creates a service named S1Trace.
This worm listens for external Internet traffic in various ways. Signs of infection include unexpected traffic on port 6667 (IRC) and 5190 (AIM).
Removal
Most antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, F-Secure, McAfee, MessageLabs, Sophos, Symantec, or Trend Micro.