|| Worm_Fizzer.A or W32.HLLW.Fizzer@mm or W32/Fizzer@MM
A New Worm W32.HLLW.Fizzer@mm or WORM_FIZZER.A or W32/Fizzer@MM is fast spreading on the Internet. The worm arrives as an email attachment. The worm:
- Is a mass-mailing worm that sends itself to all the contacts in the Windows Address Book.
- Contains a backdoor capability that uses mIRC to communicate with a remote attacker.
- Also contains a keylogger and attempts to spread through the KaZaA file-sharing network.
- Attempts to terminate the processes of various antivirus programs if they are found to be active
The worm contains its own SMTP engine and uses the default SMTP server as specified in the Internet Account Manager registry settings. It can also use any one of several hundred different external SMTP servers.
The worm arrives as an email attachment in various messages. The from address can be forged (or spoofed) from addresses on the victim machine, such that the apparent sender is not the actual sender. Message body and subject lines vary, as do attachment names. Attachments use standard executable extensions (.com, .exe, .pif, .scr). Such as:
Body: The peace
Subject: Re: You might not appreciate this...
Subject: Re: how are you?
Body: I sent this program (Sparky) from anonymous places on the net
Subject: Fwd: Mariss995
Body: There is only one good, knowledge, and one evil, ignorance.
Subject: Re: The way I feel - Remy Shand
For additional information, The URLs describing this worm can be obtained from the following:
The removal tool can be downloaded from our AIT-FTP server at URL: ftp://ftp.ait.ac.th/anti-virus/FixFiz.exe