Berkeley Lab Computer Protection Program: Resources

Emergencies | Site Index | Contact Us


	CPP Home

	Contacts

	Scan Information

	Policy Guidelines

	System Procedures

	Tools & Services

	ALERTS

	Recent CPP Actions

	News & Articles

	CPP Intranet

ALERTS

Viruses

The Fizzer Worm

The newest virus/worm threat on the horizon is a very serious one, the Fizzer Worm, also sometimes called WORM_FIZZER.A, W32/Fizzer.A, or W32.HLLW.Fizzer@mm. It, like so many others, is a Windows-targeting mass- mailing worm that arrives in the form of an executable attachment to an email message. The executable name is randomly generated, but the file extention is always .exe (at least so far). The subject of infected messages also varies considerably; examples include "I thought this was interesting," "RE: how are you?" and "Know thyself." Once Fizzer infects a system, it utilizes its built-in mail engine to transmit itself to e-mail addresses that it discovers in address books and/or contact lists on the infected system.

Additionally, it can spread itself by finding and then connecting to KaZaA shares, and also by transmitting itself via chat sessions between users. Worst of all, however, Fizzer plants a variety of Trojan Horse software in systems it infects. It installs a keystroke logger to capture every keystroke each user of the infected machine enters, plants special chat and instant messaging bots (executables used in controlling chat, messaging, and other functions), a Web server on port 81, and a remote access server that uses ports 2018-2021 to allow attackers back-door access to the infected systems. This worm also modifies several Registry keys to enable it to start when the infected system boots and attempts to disable any antivirus software that is running. If Fizzer infects your system, the best course of action is to download and run Symantec's Fizzer Removal Tool.

You can help keep your system from becoming infected by ensuring that it is running antivirus software that is requently updated. For a free copy of antivirus software for Windows systems, go to http://www.lbl.gov/download/

<< Back to Alerts Home

The Frethem Worm

Several variants of the Frethem worm are infecting Windows 98, Windows ME, Windows NT, Windows 2000, and Windows XP systems connected to the Internet. Frethem uses its own mail engine to send itself to email addresses that it finds in the Microsoft Windows Address Book and also in files with extensions such as.eml, dbx, .mdb., wab, and .mbx. The message containing this worm typically has a subject such as "Re: Your password!" and includes attachments named with variations of "password" (such as "decrypt-password.exe"). One of the attachments is worm code; opening it causes infection. Some versions plant a Trojan horse program to set up back door access to the victim system. The best way to avoid getting infected by this worm is keeping your system's anti-virus software up to date and avoiding opening attachments from people you do not know. Visit Symantec site, W32.Frethem.K@mm,
and for more information about the most common variants of this worm.

<< Back to Alerts Home

The "Friendship Screen Saver"!

If you receive the following message:

Enjoy this friendship Screen Saver and Check ur friends circle... Send this screensaver from www.friends4u.net to everyone you consider a FRIEND, even if it means sending it back to the person who sent it to you. If it comes back to you, then you'll know you have a circle of friends.

You need to delete it immediately! The so-called screen saver is actually the deadly YAHA worm. Do not open the attachment, and be sure to avoid forwarding the message to anyone else.

<< Back to Alerts Home

FunLove Worm

A worm named "FunLove" (most properly, "W32/FunLove.4099") has been infecting LBNL Windows 98, Windows NT, and Windows 2000 systems at a rapid pace. Worms, like viruses, are programs that reproduce themselves, but unlike viruses, worms spread over networks independent of user actions.

FunLove infects EXE, SCR and OCX files, overwriting the initial eight bytes of any file it infects. It then attempts to spread itself through shares that allow everyone to write to the files that can be accessed via the shares. On Windows NT systems FunLove will even modify your system's kernel if you are logged on as Administrator. You should take several steps to defend against the destruction and disruption that a FunLove infection causes:

1. Update your anti-virus software now. Visit http://www.lbl.gov/ITSD/CIS/Software/. Updating your anti-virus software is very quick and easy.

2. In general, avoid setting up shares that allow everyone to access them. Share only with specific users and groups who need access to files on your system, and try to keep their level of access down to "read," if possible. (For even better protection, you might also want to set up a difficult-to-guess password for every share on your system.)

3. If you think your system is infected, leave your system on, put a "Do Not Use" sign on the display terminal, and dial the LBNL Help Number (HELP). For additional information on FunLove, see http://vil.nai.com/vil/virusChar.asp?virus_k=10419.

<< Back to Alerts Home