Phogphire1
Joined: 05 Apr 2003
Posts: 293
Location: Portland, OR
|
 Posted: Tue May 13, 2003 4:18 pm Post subject: OT : Update your Virus scanners -Worm 'Fizzer' |
 |
|
I rarely post Virus warning or forward them except I almost fell victim today thankfully I update my virus database religously. Update your virus scanner database AVG has an update as of 5/12/03. Links about the Fizzer worm/trojan - antiviruis disabler below. Fizzer, (also known as W32.HLLW.Fizzer@mm or WORM_FIZZER.A), can log keystrokes, and installs a Trojan Horse that could allow a hacker to take control of a user's PC. The worm also attempts to block the operation of anti-virus software
[/url]http://www.symantec.com/avcenter/venc/dyn/33483.html
http://www.news.com.au/common/story_page/0,4057,6428276%255E15306,00.html
http://zdnet.com.com/2100-1105_2-1001062.html
[url]
'Fizzer' Computer Virus Spreading Faster
LOS ANGELES (Reuters) - A new and complex computer virus called "Fizzer" spread rapidly across the Internet on Monday, infecting computers across the world via e-mail and the file-swapping service Kazaa, computer security experts said.
Businesses in Asia were the first to report the attack, followed by reports of tens of thousands of infections in Europe, and experts were expecting more cases in North America.
"It first appeared last Thursday and started out rather slowly," said Vincent Gullotto, who heads up an anti-virus response Team at Network Associates Inc. in Beaverton, Oregon.
Fizzer was a complex virus that combined previously known tactics from other malicious viruses, Gullotto said.
There was no threat that Fizzer would cause widespread damage similar to the disruption caused by the "SQL Slammer" in January, which bogged down computer networks across the globe, Gullotto said.
Instead, Fizzer appears as an e-mail with an attention-grabbing subject line that is activated once a user opens an attached file.
From there, it infects the shared filed folder for Kazaa, the popular program that lets users swap songs and files anonymously over the Internet.
That allows Fizzer to spread to other computers, finds information for other contacts in Microsoft Corp.'s Outlook e-mail program and mail itself to more people.
British-based virus detection firm MessageLabs recorded 17,765 cases in 24 hours to 11:30 a.m. EDT. "We've upgraded it to high-risk just for the fact that we've seen so many in the last day," said Mark Toshack, a virus analyst at MessageLabs.
The worm also has the capability to disable computer users' anti-virus and firewall software, but is otherwise not a threat to users' personal files. The biggest headache was the extra traffic it generated, bogging down corporate networks.
"It sends an e-mail message with varying format to all the addresses found in the Windows Address Book and Microsoft Outlook," Japanese security firm Trend Micro said.
The worm arrives as a file attachment with a .EXE, .PIF, .COM, or .SCR extension.
Other security software makers issued similar warnings through their Web sites, including U.S. firm Symantec Corp. and Finland's F-Secure. (Additional reporting by Carrie Lee in Hong Kong and Bernhard Warner in London)
05/12/03 14:32
A very clever mass-mailing worm is spreading rapidly across the Internet.
Fizzer (w32.fizzer@mm) has many different components, each timed to trigger different processes, making it quite difficult to contain.
The worm spreads via e-mail and includes its own SMTP engine to bypass any security your e-mail client may have. Fizzer also spreads via Kazaa, a popular file-sharing application.
The worm is self-updating, connecting to a GeoCities account for the latest update, and it also establishes its own accounts on Internet Relay Chat (IRC) and AOL Instant Messenger, in order to await further instructions from the virus author.
Fizzer attempts to disable any antivirus program running at the time of infection. Systems infected with Fizzer could be used in distributed denial-of-service (DDoS) attacks on other computers.
Fizzer includes a keystroke-logging Trojan horse, which can be used to steal passwords words and credit card information.
Because Fizzer spreads via e-mail and Kazaa, contains a keystroke-logging Trojan horse, and could be used in a DDoS attack, this worm rates a 7 on the ZDNet Virus Meter.
How it works
Fizzer arrives as e-mail with several possible subject lines and body texts. The From: address can be forged and therefore should not be trusted. Fizzer's attached files contain one of the following extensions: .com, .exe, .pif and .scr.
If a user opens the attached file or otherwise activates the worm, three files are added to the Windows directory:
initbak.dat, which is a copy of the worm
iservc.exe, which is a copy of the worm
progop.exe
iservc.dll, which contains the keystroke logging Trojan
According to McAfee, Fizzer modifies the system Registry in the following ways:
Hkey_local_machine\Software\Microsoft\Windows\CurrentVersion\ Run "SystemInit" = C:\Windows\iservc.exe
Hkey_classes_root\txtfile\shell\open\command "(Default)" = C:\Windows\progop.exe 0 7 'C:\Windows\Notepad.exe %1' 'C:\Windows\initbak.dat' 'C:\Windows\iservc.exe'
Hkey_classes_root\Applications\progop.exe
On Windows NT, 2000, and XP systems, Fizzer also creates a service named S1Trace.
This worm listens for external Internet traffic in various ways. Signs of infection include unexpected traffic on port 6667 (IRC) and 5190 (AIM).
Removal
Most antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, F-Secure, McAfee, MessageLabs, Sophos, Symantec, or Trend Micro.
[/url]
_________________
Extremism in the defense of liberty is no vice. And moderation in the pursuit of justice is no virtue.
Life, Liberty and the Pursuit of thoose that dare screw with it. |
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
924 FAQ (Technical)
