Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Fizzer.A

W32/Fizzer, I-Worm.Fizzer, WORM_FIZZER.A

Win32/Fizzer.A is a worm spreading as an attachment of electronic mail messages and P2P of KaZaA network. This worm operates in the environment of operating systems Microsoft Windows 95/98/Me/2000/NT and XP. It contains a component enabling the communication with infected computer via Internet Relay Chat (IRC).

Win32/Fizzer.A arrives with the message having subject randomly chosen from tens of preset options in German or English. The text of the message is also randomly chosen from predefined German or English textual strings. The name of the file with the worm in the attachment is always randomly generated and has the extension of EXE, PIF, COM or SCR.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The inscription %system% represents in following text the directory %windir%/System (Windows 9x) or %windir%/System32 (Windows NT, XP).

After the Win32/Fizzer.A runs it is copied into the directory %windir%. The names of the worm copies are iservc.exe and initbak.dat. It creates here also the files iservc.dll and ProgOp.exe. It assures its activation creating the item SystemInit having value of %windir%\ISERVC.EXE in the system registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. It modifies also the registry HKEY_CLASSES_ROOT\txtfile\shell\open\command setting its value to:

@=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,50,72,6f,67,4f,70,2e,65,78,65,20,30,\
20,37,20,27,43,3a,5c,57,49,4e,44,4f,57,53,5c,4e,4f,54,45,50,41,44,2e,45,58,\
45,20,25,31,27,20,27,43,3a,5c,57,49,4e,44,4f,57,53,5c,69,6e,69,74,62,61,6b,\
2e,64,61,74,27,20,27,43,3a,5c,57,49,4e,44,4f,57,53,5c,49,53,45,52,56,43,2e,\
45,58,45,27

This complicated entry is equivalent to the setting of above given registry to the value of @=C:\WINDOWS\ProgOp.exe 0 7 'C:\WINDOWS\notepad.exe %1''C:\WINDOWS\initbak.dat''iservc.exe' and its purpose is making the legibility of the system registry content more difficult.

The worm terminates the execution of the processes with names containing following strings: NAV, SCAN, AVP, TASKM, VIRUS, F-PROT, VSHW, ANTIV, VSS and NMAIN. These strings will cause the termination of the execution of many resident anti virus programs. Then it creates the mutex named SparkyMutex in the memory, and provides connection to one of the predefined IRC servers. The complete list of the servers has almost 15 KB. Some of them are as follows:

irc.afternet.org
irc.dal.net
irc.eu.dal.net
irc.ablenet.org
irc.abovenet.org
irc.accessirc.net
irc.aceirc.net
irc.all-defiant.org
irc.allochat.net
irc.alphanine.net
irc.altnet.org
irc.amcool.net
...
...
...
irc.xworld.org
irc.zanet.net
irc.zerolimit.net
irc.zirc.org
irc.zuh.net
irc.zurna.net

The worm is copied also into the directory with files shared in KaZaA system. Win32/Fizzer.A is also trying to gain the file sp1.7ls from address http://www.geocities.com/updatesparky/.

Win32/Fizzer.A is spreading to addresses of electronic mail obtained from Windows Address Book.

In the header of the file there is freely legible text:

Sparky will reign.

NOD32 detects Win32/Fizzer.A from the version 1.407.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.