Contact
About Avira
Press
Beta test
Language:
English
English
Deutsch
Français
Español
Italiano
Português
Русский
For Home
Avira Antivirus Premium
Avira Internet Security
For Business
Client/Servers
Avira Professional Security
Avira Server Security
Avira Business Security Suite
Avira Endpoint Security
Small Business
Managed Services
Gateways
Avira AntiVir MailGate
Avira MailGate Suite
Avira AntiVir Exchange
Avira AntiVir WebGate
Avira WebGate Suite
Avira AntiVir GateWay Bundle
Avira AntiVir SharePoint
Integration
Anti-Malware SDK (SAVAPI)
Antispam SDK (SPACE)
Rebranding & Bundling
Integration Services
Educational Discount
Support
For Home
Overview
Latest News
Video Tutorials
Knowledgebase
For Business
Overview
Latest News
Knowledgebase
Virus Lab
Virus Descriptions
Statistics
VDF History
About Malware
Viruses In the Wild
Submit Suspicious File
Download
Product Downloads
Technical Documentation
Product Lifecycle
VDF Update
Partner
Partner Locator
Become an Avira Partner
Affiliate
Free
Download
Search
Summary
Full description
Statistics
Alias:
W32/Fizzer@mm, W32/Fizzer.gen@MM
Type:
Worm
Size:
220,160 bytes
Origin:
unknown
Date:
05-12-2003
Damage:
VDF Version:
6.19.00.13
Danger:
Low
Distribution:
Low
General Description
Worm/Fizzu.A is a mass mailer and spreads over KaZaA P2P networks. It carries along an IRC backdoor program, a DoS Tool and a Trojan. The emails it sends never look alike, because the subject, body and attachment are composed out of a words list the worm carries with himself.
Symptoms
Unexpected traffic on port 6667 (IRC) or on port 5190 (AIM).
Distribution
The virus spreads over KaZaA and email as executables .exe.
Technical Details
When activated, Worm/Fizzu.A copies itself in Windows with the following filenames:
* ISERVC.EXE (220.160 Bytes)
* INITBAK.DAT (220.160 Bytes)
Then it makes the next two files:
* ISERVC.DLL (Keylogger)
* PROGOP.EXE (15,360 bytes)
In order to be activated by the next system start, the worm makes the following registry entry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SystemInit"="%WindowDIR%\iservc.exe"
and it modifies the following:
[HKEY_CLASSES_ROOT\txtfile\shell\open\command]
@="%windir%\ProgOp.exe 0 7 '%windir%\NOTEPAD.EXE %1'
'%windir%\initbak.dat' '%windir%\ISERVC.EXE'File" menu."
The contents of the emails sent by Lovgate.J are never alike. The attachment name, subject and body are composed out of a big list of English and German words, which the worm carries along. It searches for email addresses in Windows Address Book (WAB).
One of the emails it sends can look like this:
Subject: Re: You might not appreciate this...
Body: There is only good, knowledgem, and one evil, ignorance
Subject: Service.scr
or
Subject: Why?
Body: I sent this program (Sparky) from anonymous places on the net
Attachment: Desktop.scr
The worm is able to terminate applications with the following names:
NAV, SCAN, AVP, TASKM, VIRUS, F-PROT, VSHW, ANTIV, VSS, NMAIN
Manual Remove Instructions
- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:
* ISERVC.EXE
* INITBAK.DAT
* ISERVC.DLL (Keylogger)
* PROGOP.EXE
Start "regedit" after that and edit the following registry entry:
* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SystemInit"="%WindowDIR%\iservc.exe"
into:
* [HKEY_CLASSES_ROOT\txtfile\shell\open\command]
@="%windir%\ProgOp.exe 0 7 '%windir%\NOTEPAD.EXE %1' '%windir%\initbak.dat'
'%windir%\ISERVC.EXE'File" menu."
Restart your computer.
- for Windows 9x/ME:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:
* ISERVC.EXE
* INITBAK.DAT
* ISERVC.DLL (Keylogger)
* PROGOP.EXE
Start "regedit" after that and edit the following registry entry:
* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SystemInit"="%WindowDIR%\iservc.exe"
into:
* [HKEY_CLASSES_ROOT\txtfile\shell\open\command]
@="%windir%\ProgOp.exe 0 7 '%windir%\NOTEPAD.EXE %1' '%windir%\initbak.dat'
'%windir%\ISERVC.EXE'File" menu."
Restart your computer.
Description inserted by Crony Walker on Tuesday, June 15, 2004
Back
.
.
.
.
