Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:I-Worm.Fizzer, W32/Fizzer.dll, W95/Fizzer.Keylogger, W32.HLLW.Fizzer
Type:Worm 
Size:241,664 Bytes 
Origin: 
Date:00-00-0000 
Damage:Sent by email, Backdoor component, Keylogger. 
VDF Version:  
Danger:Low 
Distribution:Low 

DistributionThe worm collects email addresses from Windows Address Book, cookie files, Internet temporary files and from personal folders.
The email sent by the worm has the following structure:

Subject:
I thought this was interesting...
rather psychedelic...
found this on the net, you might like it...
discothque
imbrue
Damn it feels good to be gangsta.
The way I feel - Remy Shand
Paradigm Shift
WASSUP!
Know Thyself
Hell
I love you
Please discard if you don't like or agree with our present leadership...
little popup remover
B cannot remember
Yo, WASSUP, B?
an interesting program...
You might not appreciate this...
I think you might find this amusing...
LOL
check this out... hehehe
question...
see you tomorrow.
how are you?
you need to lose weight.
why?
kind of simple, but fun nonetheless.
check it out.
Ist das nicht lustig? ;)
Das Wetter ist gut.
Gut geschlafen?
erstmal unter die dusche ..
Og.. :)
Wer ist hier das Schaf?
Morgen uggi ;))
moin uk-world
hierzu kann ich nur anmerken das fix nen Bettnsser ist
huhu Camper ;))
Sandy es freut mich sehr, da du heut so gut drauf bist ;)
da kannst ja gleich einen kuchen auch noch backen ;D
ohje ;)
hmm sandy und backen ???
heidelbeerkuchen ;)
jo Camper, das kann ich auch ;)
die dich nur anschnautzen kann und sonst nix ;)

Message:
I sent this program (Sparky) from anonymous places on the net.
The way to gain a good reputation is to endeavor to be what you desire to appear.
There is only one good, knowledge, and one evil, ignorance.
Watchin' the game, having a bud.
Did you ever stop to think that viruses are good for the economy? Maybe the primary creators of the world's worst viruses are the companies that make the Anti-Virus software.
Today is a good day to die...
so, how are you?
the attachment is only for you to look at
you must not show this to anyone...
delete this as soon as you look at it...
Let me know what you think of this...
If you don't like it, just delete it.
thought I'd let you know
you don't have to if you don't want to.

Attachment: the attachment is variable and has the following extensions:
.exe
.pif
.com
.scr

Technical DetailsWhen activated, the worm is copied into:
%WinDIR%\iservc.exe
%WinDIR%\initbak.dat

It creates the following files:
%WinDIR%\ProgOp.exe (15,360 Bytes).
%WinDIR%\iservc.dll (7,680 Bytes), represents the keylogger component of the worm.
%WinDIR%\data1-2.cab, contains encoded email addresses, found on the infected system.
%WinDIR%\iservc.dat.
%WinDIR%\Uninstall.pky
%WinDIR%\upd.bin.

It makes the following autostart entry in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SystemInit"="%WinDIR%\iservc.exe"


And it changes the following entry: HKEY_LOCAL_MACHINE\Software\CLASSES\txtfile\shell\open\command in: @="%WinDIR%\ProgOp.exe 0 7 '%WinDIR%\notepad.exe %1''%WinDIR%\initbak.dat''iservc.exe'

The worm tries to terminate the processes that contain the following strings:
NAV
SCAN
AVP
TASKM
VIRUS
F-PROT
VSHW
ANTIV
VSS
NMAIN

A mutex named SparkyMutex will ensure that only one version of the worm is active in the system.
The worm tries to connect to the following IRC servers:
irc.awesomechat.net
irc.blueshadownet.org
irc.chatlands.org
irc.darkmyst.org
irc.hemmet.chalmers.se
irc.exodusirc.net
irc.mirc.gr

It infects the files from KaZaA download directory. The warm also tries to reach AOL Instant Messenger (AIM) Chatroom, using various names, for receiving hacker's instructions.
It uses a HTTP server on port 81. The worm also uses port 2018, 2019, 2020 and 2021 for backdoor functions.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .