we make the mail

Win32/Fizzer Worm blue line
home  index 
13 May 2003

From: Alexander G. Chamandy, bhni.net
    703.486.0200

SYSTEMS AFFECTED

Windows 95           Windows 98
Windows NT           Windows 2000
Windows ME           Windows XP

OVERVIEW

There is a mass-mailing worm that is delivered as an e-mail attachment.
This worm arrives as an e-mail attachment and uses various common
executable file extensions to install itself on local systems.  The worm
connects to various locations via Internet Relay Chat (IRC) connections
and AOL Instant Messenger (AIM) connections to await instructions from a
remote attacker. This worm is reported to contain a keystroke logger.
This worm could be used as part of a botnet-controlled Denial-of-Service
(DoS) against specific targets.

IMPACT

Given the widespread use of Windows OS-based systems within the government
and the private sectors, a widespread propagation of this worm and its
successful utilization in DoS attacks, the potential impact is high.

DETAILS

The "from" address in the infected e-mails can be forged, so that the actual
sender is obscured and the e-mail appears to be from a familiar source.  The
subject line is also designed to entice the recipient to read the e-mail and
execute the attachment, which will activate the virus on the local system.
Examples of some of the "from" addresses and subject lines can be found at
the URLs included below.

The worm attachment uses various common executable extensions to install
itself on the local system, once the recipient has opened the attachment.
These extensions can include .com, .exe, .pif, and .scr.

Delivery and propagation/replication methods of the infected attachments can
include:

1)  mass-mailing ability:

    a)  MS Outlook Contacts lists;

    b)  Windows Address Book (WAB);

    c)  Addresses on local systems;

    d)  Randomly-generated e-mail addresses;

2)  Internet Relay Chat (IRC);

3)  AOL Instant Messenger (AIM);

4)  KaZaa file-sharing services (ftp).


Components of the worm can include:

1)     An SMTP engine;

2)     HTTP services (via port 81);

3)     Self-updating mechanisms (via the IRC functions noted);

4)     Anti-virus software process terminations (to prevent
       detection/removal by AV services).


Symptoms include but are not limited to:


1)     Unexpected traffic on port 6667 (port use confirmed); additional IRC
       ports in 6660-6669 range possible (currently unconfirmed);

2)     Unexpected traffic on port 5190 (AIM);

3)     Unauthorized HTTP traffic on port 81.


RECOMMENDATIONS/SOLUTIONS

The DHS is working with other government agencies, network security experts,
and industry representatives to define, prioritize, and mitigate these
vulnerabilities.  The DHS suggests that you implement industry "best
practices."  Additionally, manual removal instructions, current virus
definitions, and updated information may be found at the following URLS:

CERT-CC (Carnegie-Mellon University) -

http://www.cert.org/current/current_activity.html#peido

McAfee (W32/Fizzer@MM)   -

http://vil.nai.com/vil/content/v_100295.htm

Symantec (W32.HLLW.Fizzer@mm) -

http://www.symantec.com/avcenter/venc/data/w32.hllw.fizzer@mm.html

Trend Micro (Worm FIZZER.A)

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_FIZZER.
A