ITSD Computing and Communications Services News
May, 2003

CCS News Home
Back Issues
Computer Security
Help Request
Software Downloads
Computer Backups
Buy a Computer
Suggestion Box
Email
Calendar
Onsite Computer Training
ITSD
CIS
ISS
NTD
TEID
  Monthly Virus Update: Fizzer Worm Poses a Serious Threat

The newest virus/worm threat on the horizon -- the Fizzer worm -- is a very serious one. Also sometimes called WORM_FIZZER.A, W32/Fizzer.A, or W32.HLLW.Fizzer@mm, it is a Windows-targeting, mass-mailing worm that arrives in the form of an executable attachment to an email message. The executable name is randomly generated, but the file extension is always .exe (at least so far). The subject of infected messages also varies considerably; examples include "I thought this was interesting," "RE: how are you?" and "Know thyself."

Once Fizzer infects a system, it utilizes its built-in mail engine to transmit itself to email addresses that it discovers in address books and/or contact lists on the infected system. Additionally, it can spread itself by finding and then connecting to KaZaA shares. Worst of all, however, Fizzer plants a variety of Trojan horse software in systems it infects. It installs a keystroke logger to capture every keystroke each user of the infected machine enters, plants special chat and instant messaging bots (executables used in controlling chat, messaging, and other functions), a Web server on port 81, and a remote access server that uses ports 2018-2021 to allow attackers back door access to the infected systems. This worm also modifies several Registry keys to enable it to start when the infected system boots and attempts to disable any anti-virus software that is running. If Fizzer infects your system, the best course of action is to download and run Symantec's Fizzer Removal Tool.

You can help keep your system from becoming infected by ensuring that it is running anti-virus software that is frequently updated. Anti-virus software for Windows systems is available from the Lab’s software download page.

During the month of April the LBNL Virus Wall was as busy as ever, this time detecting and eradicating a total of 2,938 worms and viruses. A very encouraging sign is the fact that the Virus Wall did not detect any outgoing viruses, meaning that Lab employees did not inadvertently pass on any viruses, showing that the combination of the Lab's Virus Wall and widespread use of the Lab’s site license for anti-virus software for PCs and Macintosh systems is working well.

As in previous months, the Klez.H worm was the most prevalent by far with 2,257 copies detected and eradicated. Interestingly, the icar_test_file, which is not a virus or worm, was detected second most frequently with 137 instances last month. The Eicar file, which is usually named "Eicar.com," is nothing more than a text file used to test how well anti-virus software is working. Because Eicar cannot infect a system, it poses no real threat (except, of course, causing confusion among users). Yaha.K was the third most prevalent with 115 copies detected and destroyed.