© Asian Institute of Technology,
P.O. Box 4, Klong Luang,
Pathumthani 12120, Thailand
Tel: (66 2) 524 6082
Email: helpdesk@ait.ac.th

back

  Worm_Fizzer.A or W32.HLLW.Fizzer@mm or W32/Fizzer@MM

     A New Worm W32.HLLW.Fizzer@mm or WORM_FIZZER.A or W32/Fizzer@MM is fast spreading on the Internet. The worm arrives as an email attachment. The worm:

- Is a mass-mailing worm that sends itself to all the contacts in the Windows Address Book.
- Contains a backdoor capability that uses mIRC to communicate with a remote attacker.
- Also contains a keylogger and attempts to spread through the KaZaA file-sharing network.
- Attempts to terminate the processes of various antivirus programs if they are found to be active

     The worm contains its own SMTP engine and uses the default SMTP server as specified in the Internet Account Manager registry settings. It can also use any one of several hundred different external SMTP servers.

     The worm arrives as an email attachment in various messages. The from address can be forged (or spoofed) from addresses on the victim machine, such that the apparent sender is not the actual sender. Message body and subject lines vary, as do attachment names. Attachments use standard executable extensions (.com, .exe, .pif, .scr). Such as:

Subject: why?
Body: The peace
Attachment: desktop.scr

Subject: Re: You might not appreciate this...
Body: lautlach
Attachment: service.scr

Subject: Re: how are you?
Body: I sent this program (Sparky) from anonymous places on the net
Attachment: Jesse20.exe

Subject: Fwd: Mariss995
Body: There is only one good, knowledge, and one evil, ignorance.
Attachment: Mariss995.exe

Subject: Re: The way I feel - Remy Shand
Body: Nein
Attachment: Jordan6.pif

For additional information, The URLs describing this worm can be obtained from the following:

http://www.symantec.com/avcenter/venc/data/w32.hllw.fizzer@mm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_FIZZER.A
http://vil.mcafee.com/dispVirus.asp?virus_k=100295

The removal tool can be downloaded from our AIT-FTP server at URL: ftp://ftp.ait.ac.th/anti-virus/FixFiz.exe