Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

E-mail worms and virus (Fizzer Worm)

Attack ID: CPAI-2003-14
Publish Date:
Category: Email worms and virus
Vulnerable Systems: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Source: Trend Micro advisory
Symantec advisory
Description: The Fizzer worm WORM_FIZZER.A, (Also known as WORM_FIZZER.A, W32/Fizzer-A, Fizzer, I-Worm.Fizzer, W32.HLLW.Fizzer@mm, W32/Fizzer@MM) is a mass-mailing worm with backdoor and keylogger functionalities. It attempts to spread itself through SMTP and the KaZaA file-sharing network. The worm attempts to terminate the process of various anti virus programs if they are found to be active.
Severity:
  This is a sophisticated worm that can spread in various methods. In addition, it can be used to launch additional attacks against its targets. The worm is capable of disabling various anti-virus products, personal firewalls and other security-related processes on infected machines.
Details:

This is a mass-mailing worm that sends itself to all contacts in the Windows Address Book. It contains a backdoor that uses mIRC to communicate with a remote attacker. It also contains a key stoke logger and attempts to spread itself through the KaZaA file-sharing network.

  1. The worm attempts to terminate the process of various anti-virus programs if they are found to be active.
    Note: FireWall-1 SecureClient Can not be terminated this way.
  2. It attempts to connect to IRC servers using different user names that are carried by the worm, then waits for the command from the hacker. IRC servers the worm attempts to connect to
    1. irc.awesomechat.net
    2. irc.blueshadownet.org
    3. irc.chatlands.org
    4. irc.darkmyst.org
    5. irc.hemmet.chalmers.se
    6. irc.exodusirc.net
    7. irc.mirc.gr
  3. The worm logs keystrokes into an encrypted file located at %windir%\iservc.klg.
  4. The worm copies itself to the KaZaA file download directory as a random filename in an attempt to spread through the file-sharing network.
  5. The worm runs as an HTTP server listening to port 81.
  6. It uses ports 2018, 2019, 2020 and 2021 for additional backdoor functionality.
  7. The worm has an "updates" functionality, which attempts connecting to Geocities sites to obtain them.
  8. The worm uses random emails to spread its malicious content.
Attack Detection: Using the SmartView Tracker one can identify attempts to receive emails (SMTP traffic), which contain attachments with .EXE, .COM, PIF or .SCR extensions. If the worm infected the network, one can identify attempts to open outgoing SMTP connections from various network components other than the regular outbound SMTP routers.
Solution:

The SmartDefense team identified the trend of using combined methods for spreading worms and malware. Customers are advised to review CPSA-2003-01 posted on January 2003.

Install FireWall-1 systems so that the client systems will be behind, thus protected towards the Internet. Verify that the incoming SMTP servers are protected behind FireWall-1 SMTP Security Server:

  1. Using the SmartDashboard, block all outgoing SMTP connections from non-server IPs. Allow only outgoing SMTP connections originated from mail servers.
  2. Define SMTP resource that blocks MIME types of message/partial.
    1. The rule looks like the following:
      SRC=ANY, DST=Incoming SMTP server, Service=Resourced SMTP, Action=accept and log
    2. The SMTP resource looks like the following:
      • SMTP Resource->Action2 tab
        1. Strip MIME of type: message/partial
        2. Strip file by name: *.exe,*.scr,*.com, *.pif
        3. Weeding: Strip all Script Tags, links and port strings
  3. Verify that the SmartDefense "Successive Multiple Connections" is marked:

    Policy->SmartDefense-> Successive Events-> Successive Multiple Connections.

  4. In order to track some of the potential attack attempts, Verify the following "Successive Multiple Connections" values:
    1. Resolution: 10 seconds
    2. Time interval: 60 seconds
    3. Attempts number: 100 (varies, based on the site configuration)
  5. Verify that all connections to the KaZaA networks are blocked. Note that P2P services such as KaZaA can use either a proprietary service port or port 80 (usually HTTP) in order to traverse a firewall. See the additional information section for instructions of blocking KaZaA over HTTP.
  6. Verify that outgoing connections from the network are used for legitimate services (approved by the organization security policy).
  7. Verify that ports 2018, 2019, 2020 and 2021 are blocked for both inbound and outbound directions. Verify the rules related to these connections include logging.
Industry Reference:
Additional Information: CPAI-2003-02 and Check Point P2P FAQ provide additional information for blocking and controlling worms that have similar characteristics and behavior patterns. Customers are advised to review the mentioned publications for additional information regarding precautions and measures that can be taken against the worm discussed in this advisory and future threats that may appear.