Virus Encyclopedia
Welcome to the Virus Encyclopedia of Panda Security.
Fizzer | |
Threat Level Damage Distribution |
At a glance
 |
| Common name: | Fizzer |
| Technical name: | W32/Fizzer |
| Threat level: | Medium |
| Type: | Worm |
| Effects: | It captures the keystrokes entered in the affected computer, ends processes that mainly belong to antivirus programs and acts as a backdoor Trojan. |
| Affected platforms:
| Windows XP/2000/NT/ME/98/95 |
| First detected on: | May 8, 2003 |
| Detection updated on: | Aug. 24, 2005 |
| Statistics | No |
Proactive protection: | Yes, using TruPrevent Technologies
|
Brief Description | |
Fizzer is a dangerous worm, as it is programmed to capture the keystrokes entered in the affected computer and save them in a text file. Fizzer also acts as a backdoor type Trojan, allowing a hacker to gain remote access to the resources of the affected computer. Fizzer also contains instructions for ending process active in memory, which mainly belong to antivirus programs. This worm mainly spreads via e-mail. It sends a copy of itself to all the contacts it finds in the Outlook and Windows Address Books. Fizzer also spreads through the P2P (peer-to-peer) file sharing program KaZaA. |
Visible Symptoms | |
Fizzer is difficult to recognize, as it does not display any warnings or messages that indicate that it has infected a computer. |
Tech details
Effects |
Fizzer has the following effects on infected computers: It captures the keystrokes entered in the affected computer and saves them in a text file called ISERVC.KLG, which it creates in the Windows directory. Then it encrypts this file. If hackers obtained this file, they would be able to access the confidential information belonging to the user of the affected computer, such as passwords for accessing Internet services, bank accounts, etc. It is programmed to end processes active in memory, which mainly belong to antivirus programs. In order to do this, it looks for processes whose name starts with one of the following frases and if it finds one, it ends it:
NAV, SCAN, AVP, TASKM, VIRUS, F-PROT, VSHW, ANTIV, VSS, NMAIN It acts as a backdoor type Trojan, allowing a hacker to gain remote access to the resources of the affected computer.
|
Infection strategy
Fizzer creates the following files in the Windows directory.
It also creates another copy of itself in the Windows Temporary directory:
Fizzer creates the following keys in the Windows Registry:
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
SystemInit = % Windir% \ISERVC.EXE
By creating this key, Fizzer ensures it is run every time the computer is started up.
HKEY_CLASSES_ROOT\ txtfile\ shell\ open\ command
(Default) = C:\WINDOWS\ ProgOp.exe 0 7 'C:\WINDOWS\NOTEPAD.EXE %1'
'C:\WINDOWS\initbak.dat' 'C:\WINDOWS\ISERVC.EXE'
By creating this key, Fizzer ensures it is run every time a text file is opened.
In order to carry out backdoor type Trojan actions, Fizzer follows the routine below:
- It connects to certain IRC servers. For a list of the servers that Fizzer connects to, click here.
- When it establishes this connection, it enters a certain channel and waits until it can connect to a remote access client.
- When this connection is established, the remote access client can gain remote access to the resources on the affected computer
Means of transmission
Fizzer mainly spreads via e-mail and the P2P (peer-to-peer) file sharing program KaZaA:
1- Transmission via e-mail
When it has infected a computer, it uses its own SMTP engine to send an e-mail message that includes a copy of the worm to to the following recipients:
All the contacts it finds in the Outlook and Windows Address Books (WAB file).
Recipients with a name generated at random and one the following domains: msn.com, hotmail.com, yahoo.com, aol.com, earthlink.net, gte.net, juno.com or netzero.com.
The message it sends out via e-mail has variable characteristics. In order to see the characteristics of these messages, click here.
Fizzer creates a false address which appears as the sender of the e-mail message. This can cause confusion. For more information, click here.
2- Transmission via KaZaA
In order to spread through this P2P file sharing program, it follows the routine below:
- It creates several copies of itself in the shared directory. These file will have random names.
- Other KaZaA users will be able to access this shared directory. These users will download these files to their computer, thinking that they are getting an interesting application, when they are actually downloading a copy of the worm.
- When the users run these files, they will also be infected.
