The Fizzer Worm
The newest virus/worm threat on the horizon
is a very serious one, the Fizzer Worm, also sometimes called
WORM_FIZZER.A, W32/Fizzer.A, or W32.HLLW.Fizzer@mm. It, like
so many others, is a Windows-targeting mass- mailing worm
that arrives in the form of an executable attachment to an
email message. The executable name is randomly generated,
but the file extention is always .exe (at least so far). The
subject of infected messages also varies considerably; examples
include "I thought this was interesting," "RE:
how are you?" and "Know thyself." Once Fizzer
infects a system, it utilizes its built-in mail engine to
transmit itself to e-mail addresses that it discovers in address
books and/or contact lists on the infected system.
Additionally, it can spread itself by finding
and then connecting to KaZaA shares, and also by transmitting
itself via chat sessions between users. Worst of all, however,
Fizzer plants a variety of Trojan Horse software in systems
it infects. It installs a keystroke logger to capture every
keystroke each user of the infected machine enters, plants
special chat and instant messaging bots (executables used
in controlling chat, messaging, and other functions), a Web
server on port 81, and a remote access server that uses ports
2018-2021 to allow attackers back-door access to the infected
systems. This worm also modifies several Registry keys to
enable it to start when the infected system boots and attempts
to disable any antivirus software that is running. If Fizzer
infects your system, the best course of action is to download
and run Symantec's
Fizzer Removal Tool.
You can help keep your system from becoming infected by ensuring
that it is running antivirus software that is requently updated.
For a free copy of antivirus software for Windows systems,
go to http://www.lbl.gov/download/
<< Back
to Alerts Home
The
Frethem Worm
Several variants of the Frethem worm are infecting
Windows 98, Windows ME, Windows NT, Windows 2000, and Windows
XP systems connected to the Internet. Frethem uses its own
mail engine to send itself to email addresses that it finds
in the Microsoft Windows Address Book and also in files with
extensions such as.eml, dbx, .mdb., wab, and .mbx. The message
containing this worm typically has a subject such as "Re:
Your password!" and includes attachments named with variations
of "password" (such as "decrypt-password.exe").
One of the attachments is worm code; opening it causes infection.
Some versions plant a Trojan horse program to set up back
door access to the victim system. The best way to avoid getting
infected by this worm is keeping your system's anti-virus
software up to date and avoiding opening attachments from
people you do not know. Visit Symantec site, W32.Frethem.K@mm,
and for more information about the most common variants of
this worm.
<< Back
to Alerts Home
The "Friendship
Screen Saver"!
If you receive the following message:
Enjoy this friendship Screen Saver and Check ur
friends circle... Send this screensaver from www.friends4u.net
to everyone you consider a FRIEND, even if it means sending
it back to the person who sent it to you. If it comes back
to you, then you'll know you have a circle of friends.
You need to delete it immediately! The so-called screen saver
is actually the deadly YAHA worm. Do not open the attachment,
and be sure to avoid forwarding the message to anyone else.
<< Back
to Alerts Home
FunLove
Worm
A
worm named "FunLove" (most properly, "W32/FunLove.4099") has
been infecting LBNL Windows 98, Windows NT, and Windows 2000
systems at a rapid pace. Worms, like viruses, are programs
that reproduce themselves, but unlike viruses, worms spread
over networks independent of user actions.
FunLove
infects EXE, SCR and OCX files, overwriting the initial eight
bytes of any file it infects. It then attempts to spread itself
through shares that allow everyone to write to the
files that can be accessed via the shares. On Windows NT systems
FunLove will even modify your system's kernel if you are logged
on as Administrator. You should take several steps to defend
against the destruction and disruption that a FunLove infection
causes:
1.
Update your anti-virus software now. Visit http://www.lbl.gov/ITSD/CIS/Software/.
Updating your anti-virus software is very quick and easy.
2.
In general, avoid setting up shares that allow everyone
to access them. Share only with specific users and groups
who need access to files on your system, and try to keep their
level of access down to "read," if possible. (For even better
protection, you might also want to set up a difficult-to-guess
password for every share on your system.)
3.
If you think your system is infected, leave your system on,
put a "Do Not Use" sign on the display terminal, and dial
the LBNL Help Number (HELP). For additional information on
FunLove, see http://vil.nai.com/vil/virusChar.asp?virus_k=10419.
<< Back
to Alerts Home
|