Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Fizzer.A@mm

Overview

Threat Risk MEDIUM MEDIUM
Destructivity MEDIUM MEDIUM
Payload Installs a backdoor component
Detection files published 11 May 2003 03:00:00
Description created 12 May 2003 06:16:00
Description updated 16 May 2003 02:06:00
Malware type WORM
Alias
Spreading mechanism EMAIL
Summary None

W32/Fizzer.A@mm

Spreading

The worm sends itself to addresses found on the victim's computer - in the Windows Address Book and other sources.When run, it copies itself to the Windows directory as:ISERVC.EXEinitbak.datIt creates two other executables on the Windows directory:ISERVC.DLLProgOp.EXEIn addition it creates several data files that it uses during execution.It creates the following registry keys to ensure that it is run during startup and whenever a text file is attempted opened:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemInit = [WINDIR]\iservc.exeHKEY_CLASSES_ROOT\txtfile\shell\open\command (default) = "[WINDIR]\ProgOp.exe 0 7 '[WINDIR]\notepad.exe %1' '[WINDIR]\initbak.dat' '[WINDIR]\iservc.exe'"

Payload Details

The worm attemps to setup a backdoor connection to an IRC server.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:11