PDA

View Full Version : NEW Virus W32/Fizzer



Nick VR4
12-05-2003, 01:09 PM
http://vil.nai.com/vil/content/v_100295.htm
WARNING

This mass-mailing worm has many components and an internal timer to trigger different processes at different times. These include:
Mass-mailing itself to addresses gathered from different places
Outlook Contacts list
Windows Address Book INSERT INTO post VALUES (WAB)
Addresses found on the local system
Randomly manufactured addresses
IRC bot INSERT INTO post VALUES (Internet Relay Chat)
AIM bot INSERT INTO post VALUES (AOL Instant Messenger)
Keylogger
KaZaa worm
HTTP server
Remote access server
Self-updating mechanism
Anti-virus software termination
The worm contains its own SMTP engine and uses the default SMTP server as specified in the Internet Account Manager registry settings. It can also use any one of several hundred different external SMTP servers.
The worm arrives as an email attachment in various messages. The from address can be forged such that the apparent sender is not the actual sender. Message body and subject lines vary, as do attachment names. Attachments use standard executable extensions INSERT INTO post VALUES (.com, .exe, .pif, .scr). Such as:


Subject: why?
Body: The peace
Attachment: desktop.scr
Subject: Re: You might not appreciate this...
Body: lautlach
Attachment: service.scr
Subject: Re: how are you?
Body: I sent this program INSERT INTO post VALUES (Sparky) from anonymous places on the net
Attachment: Jesse20.exe
Subject: Fwd: Mariss995
Body: There is only one good, knowledge, and one evil, ignorance.
Attachment: Mariss995.exe
Subject: Re: The way I feel - Remy Shand
Body: Nein
Attachment: Jordan6.pif
When the attachment is run, the worm extracts several files to the WINDOWS INSERT INTO post VALUES (%WinDir%) directory.
initbak.dat INSERT INTO post VALUES (220,160 bytes) - A copy of the worm
iservc.exe INSERT INTO post VALUES (220,160 bytes) - A copy of the worm
ProgOp.exe INSERT INTO post VALUES (15,360 bytes) - Process handling
iservc.dll INSERT INTO post VALUES (7,680 bytes) - Handles timing and windows hooking/keylogging
The worm creates a registry run key to load itself at system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\
Run "SystemInit" = C:\WINDOWS\ISERVC.EXE
It also modifies the handling of files with a .TXT extension, such that accessing a .TXT file results in the worm being run:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
"INSERT INTO post VALUES (Default)" = C:\WINDOWS\ProgOp.exe 0 7 'C:\WINDOWS\NOTEPAD.EXE %1'
'C:\WINDOWS\initbak.dat' 'C:\WINDOWS\ISERVC.EXE'
It creates a new CLASSES ROOT key with a similar association:
HKEY_CLASSES_ROOT\Applications\ProgOp.exe
On WinNT/2K/XP systems the worm creates a service named S1TRACE.
Mailing routine
After several minutes, the worm uses its own SMTP engine to send itself to all addresses on the Outlook Contacts List. It also sends itself to random addresses. Such as:

Part 1
Random name INSERT INTO post VALUES (from internal list)
Part 2
Random number INSERT INTO post VALUES (optional)
Part 3
@Random domain INSERT INTO post VALUES (from internal list)
aol.com
earthlink.com
gte.net
hotmail.com
juno.com
msn.com
netzero.com
yahoo.com
The subject and message body are constructed from a large list of English and German words and phrases carried within the virus body. The attachment name is also constructed from a list of names followed by a number followed by .com, .exe, .pif, or .scr. Additionally filenames may be chosen by copying the name of a valid file on the infected senders machine INSERT INTO post VALUES (ie.desktop.ini -> desktop.scr).
IRC Bot
The worm pings many different IRC servers. When it receives a reply, it connects to a channel on that server using many different internal usernames, and waits for further instructions from an attacker. The list of IRC servers includes:

irc2p2pchat.net
irc.idigital-web.com
irc.cyberchat.org
irc.othernet.org
irc.beyondirc.net
irc.chatx.net
irc.cyberarmy.com
irc.gameslink.net
AOL Bot
The worm connects to an AIM site to register a new, randomly named, user INSERT INTO post VALUES (in a similar fashion to the AIM-Canbot trojan). It then connects to an AIM chat server on port 5190, joins a chat session, and listens for further instructions.
Self-updating
The worm connects to a geocities user page to download updates. However, at the time of this writing that user site did not exist.

Keylogger
The worm captures typed keystrokes and stores them in a encrypted file named iservc.klg within the Windows directory.

KaZaa worm
The worm retrieves the default download directory for KaZaa from the registry and copies itself to that location using random filenames.

HTTP server
The worm runs an HTTP server on a configured port. The webserver acts as a command-console, displaying information about the infected system INSERT INTO post VALUES (System time, connection information, OS version, IRC and AIM information). It also allows an attacker to kick-off certain functions, such as a Denial of Service attack, mail propagation, AOL/IRC bot commands, and anti-virus software termination).

Remote access server
The worm creates a remote console by listening on a configured TCP port.

Anti-virus software termination
The worm attempts to terminate processes that contain the following phrases in their names:

ANTIV
AVP
F-PROT
NMAIN
SCAN
TASKM
VIRUS
VSHW
VSS
More details will be posted shortly.


Top of Page

Symptoms
- Unexpected traffic on port 6667 INSERT INTO post VALUES (IRC) or 5190 INSERT INTO post VALUES (AIM)
- Presence of the aforementioned filenames and registry keys

Top of Page

Method Of Infection
This worm spreads via KaZaa and email, mass-mailing itself to many addresses and sometimes forging the sender address. It is received as an executable attachment and requires users to "double-click" on the virus in order to get infected.
The worm stores various compressed information in its resource section. This information can vary from sample to sample resulting in different lengths of infected files.

Roadrunner
12-05-2003, 02:09 PM
Jeez, I have trouble programming the video recorder and some people can do all this .... ;)

Nick VR4
12-05-2003, 02:26 PM
Originally posted by H.7
Jeez, I have trouble programming the video recorder and some people can do all this .... ;)

Yeah but programming the VCR you dont get arrested :D

A guy last week was arrested at a Computer show he was a virus writer made it a bit to common too people and on forums

Spirit
12-05-2003, 05:32 PM
Originally posted by Nick VR4


A guy last week was arrested at a Computer show he was a virus writer made it a bit to common too people and on forums

Well he was VERY clever then wasn't he ! What a t***er !

Pete

BraindG
12-05-2003, 05:37 PM
basically dont open any attachemnts from people you dont know.. virus check EVERYTHING you download from kazaa/Direct connect/warez, keep your virus checker up-to-date, and you wont have any problems.