Threat behavior
The Win32/Fizzer worm file contains strings that can determine the worm behavior, such as whether to log keystrokes or run as a service. The strings can also configure other settings, such as names of files and folders that the worm uses.
Win32/Fizzer variants may perform actions such as the following:
- Exit under either of the following conditions:
- A mutex named SparkyMutex is present.
- A specified file is in a certain location, such as a file named Uninstall.pky in the Windows folder. Before exiting, Win32/Fizzer deletes the file.
- Terminate antivirus processes.
- Run as a service.
- Copy itself to a file named iservc.exe or initbak.dat in the Windows folder.
- Modify the registry, as follows:
- Create registry value: SystemInit
containing data: <Windows folder>\iservc.exe
in registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- Set value: default
with data: %windir%\progop.exe 0 7 '<data in this registry value prior to infection>' '%windir%\initbak.dat' '%windir%\iservc.exe'
in registry key: HKEY_CLASSES_ROOT\txtfile\shell\open\command
This registry modification causes progop.exe to run in the background each time a .txt file opens. The progop.exe process may then overwrite iservc.exe with initbak.dat.
-
Specify and save settings and results, as follows:
-
Create a log file named chatlog.txt and a configuration file named chatrect.dat.
-
Save its window position settings in a file named caprect.dat.
-
Create a backup folder named SpkyBackup in the Windows folder.
-
Drop ProgOp.exe in the Windows folder. When ProgOp.exe runs, it may drop iservc.exe to the user's temporary folder and run it. Microsoft detects ProgOp.exe as Win32/Fizzer.A and iservc.exe as Win32/Fizzer.A@mm.
- Send and receive data in the following ways:
- Open a proxy server.
- Drop a keylogger named iservc.dll in the Windows folder. Microsoft detects this keylogger as Win32/Fizzer.A.dll. The worm may create a backup of the keylogger named wavckb.dlb in the Windows folder. The keylogger log file may be named iservc.klg and may also be saved in the Windows folder.
- Exchange data through various TCP ports. For example, the worm may receive commands through port 2018 and files through port 2019, host a remote console from port 2020, and send video streams from port 2021. The worm may also open an HTTP server for backdoor access on a TCP port such as port 81.
-
Download updates from a Web site to a file with a name such as upd.bin in the Windows folder.
-
Try to create a new AOL Instant Messenger (AIM) account, connect to a specified AIM server, and act as an AIM bot.
-
Connect to an IRC server to serve as a backdoor.
- Spread in the following ways:
- Through Kazaa file sharing.
- By sending a copy of itself as an e-mail attachment to e-mail addresses that it finds on the infected computer. Win32/Fizzer may store e-mail addresses in a file named data1-2.cab in the Windows folder. The e-mail has the following characteristics:
- The sender name and attachment name are drawn from a list of about 200 first names that the worm file contains, such as Sophia, Jordan, Amanda, Kyle, Maria, and Jason.
- The subject is drawn from a separate list in the worm file. The subject may be in German or in English. Following are examples of possible subjects:
"strafrechtliche Verfolgung nach sich ziehen."
"Einzelnen oder einer Gruppe von Usern das Privileg der Nutzung"
"Fühlt Euch wohl aber benehmt euch bitte"
"Dreeeeehzahlmesser?? Anweisung Morgen SaTYr dran erinnern, dass er mal Ulf anruft "danke ;)"
"Bitte keine Skript- oder Botspielereien, kein Betteln nach Voice"
"Damn it feels good to be gangsta."
"The way I feel - Remy Shand"
"Paradigm Shift"
"Please discard if you don't like or agree with our present leadership…"
- The message body is drawn from another list in the worm file. The message is in English. Following are examples of possible messages:
"kind of simple, but fun nonetheless."
"The way to gain a good reputation is to endeavor to be what you desire to appear."
"There is only one good, knowledge, and one evil, ignorance."
"Watchin' the game, having a bud"
"Today is a good day to die…"
"you don't have to if you don't want to."
Prevention
