YOU’RE NOT VIEWING PANDA SECURITY USA. CLICK TO IMPROVE YOUR EXPERIENCE
VISIT PANDA SECURITY USA
x
48h OFFER
If you're already a customer of
our homeusers protection,
renew now with 50% off
RENEW NOW
x
48-HOUR OFFER
50%
RENEWALS
Home users only
RENEW AT A DISCOUNT
x
SPECIAL OFFER
If you're already a customer of
our homeusers protection,
renew now with 50% off
RENEW NOW
x
HALLOWEEN OFFER
take advantage of our
terrific discounts
BUY NOW AND GET 50% OFF
x
SPECIAL OFFER
Buy the best antivirus
at the best price
BUY NOW AND GET 50% OFF
x
SPECIAL OFFER
Buy the best antivirus
at the best price
BUY NOW AND GET 50% OFF
x
UP TO
-60%
BUY NOW
x
UP TO
-60%
BUY NOW
Active Scan. Scan your PC free

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Fizzer

Threat LevelHigh threatDamageSevereDistributionNot widespread

Effects 

Fizzer has the following effects on infected computers:

  • It captures the keystrokes entered in the affected computer and saves them in a text file called ISERVC.KLG, which it creates in the Windows directory. Then it encrypts this file. If hackers obtained this file, they would be able to access the confidential information belonging to the user of the affected computer, such as passwords for accessing Internet services, bank accounts, etc.
  • It is programmed to end processes active in memory, which mainly belong to antivirus programs. In order to do this, it looks for processes whose name starts with one of the following frases and if it finds one, it ends it:
    NAV, SCAN, AVP, TASKM, VIRUS, F-PROT, VSHW, ANTIV, VSS, NMAIN
  • It acts as a backdoor type Trojan, allowing a hacker to gain remote access to the resources of the affected computer.

Infection strategy 

Fizzer creates the following files in the Windows directory.

  • INITBAK.DAT and ISERVC.EXE. These files are copies of the worm.
  • ISERVC.DLL and PROGOP.EXE. It needs these files to function correctly.

It also creates another copy of itself in the Windows Temporary directory:

  • ISERVC.EXE

Fizzer creates the following keys in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    SystemInit = % Windir% \ISERVC.EXE

    By creating this key, Fizzer ensures it is run every time the computer is started up.
  • HKEY_CLASSES_ROOT\ txtfile\ shell\ open\ command
    (Default) = C:\WINDOWS\ ProgOp.exe 0 7 'C:\WINDOWS\NOTEPAD.EXE %1'
    'C:\WINDOWS\initbak.dat' 'C:\WINDOWS\ISERVC.EXE'
     
    By creating this key, Fizzer ensures it is run every time a text file is opened.

In order to carry out backdoor type Trojan actions, Fizzer follows the routine below:

  • It connects to certain IRC servers. For a list of the servers that Fizzer connects to, click here.
  • When it establishes this connection, it enters a certain channel and waits until it can connect to a remote access client.
  • When this connection is established, the remote access client can gain remote access to the resources on the affected computer

Means of transmission 

Fizzer mainly spreads via e-mail and the P2P (peer-to-peer) file sharing program KaZaA:

1- Transmission via e-mail

When it has infected a computer, it uses its own SMTP engine to send an e-mail message that includes a copy of the worm to to the following recipients:

  • All the contacts it finds in the Outlook and Windows Address Books (WAB file). 
  • Recipients with a name generated at random and one the following domains: msn.com, hotmail.com, yahoo.comaol.comearthlink.netgte.netjuno.com or netzero.com.

The message it sends out via e-mail has variable characteristics. In order to see the characteristics of these messages, click here.

Fizzer creates a false address which appears as the sender of the e-mail message. This can cause confusion. For more information, click here.

2- Transmission via KaZaA

In order to spread through this P2P file sharing program, it follows the routine below:

  • It creates several copies of itself in the shared directory. These file will have random names.
  • Other KaZaA users will be able to access this shared directory. These users will download these files to their computer, thinking that they are getting an interesting application, when they are actually downloading a copy of the worm.
  • When the users run these files, they will also be infected.

ARE YOU FACING ANY PC OR INTERNET RELATED PROBLEMS?
FREE SUPPORT INCLUDED. CALL US 24/7

powered by Anytech365