One of the most widespread viruses in the world 1

[support66]

F-Secure is upgrading the Fizzer worm to Level 1 as this complex e-mail/p2p worm continues to spread rapidly. Currently it's one of the most widespread viruses in the world.

Fizzer is a complex e-mail worm that appeared on the 8th of May, 2003. The worm can spread itself in e-mails and in Kazaa P2P (peer-to-peer) file sharing network. Fizzer worm has a built-in IRC backdoor, a DoS (Denial of Service) attack tool, a data stealing trojan (uses external keylogger DLL), an HTTP server and some more components. The worm has the functionality to kill tasks of certain anti-virus programs. Additionally the worm has autoupdating capabilities.

Fizzer worm spreads in e-mails as an attachment with .EXE, .PIF, .SCR and .COM extensions. Attachment names, subjects and bodies are randomly selected by the worm from its internal lists. E-mail addresses are collected by the worm from Windows and Outlook Address Books on an infected computer and also from different files on a hard disk.

http://www.f-secure.com/v-descs/fizzer.shtml

 

[KimberTech]

Hiya..

While it is fine that you post alerts, it would be great if you could change the thread type from question to helpful tip, or news. It helps keep the fora sorted out if you know what I mean.

I know you haven't been using the site too long, and I wasnt sure if you knew you can do that.

Have a great day!

Kimber

Members of Tek-Tips provide answers to questions based on the information given. For the best answers, post detailed descriptions of the issue. Use the search features of the site to see if your issue was already addressed in another thread.

 

[support66]

Certainly I will and thanks for your reccomendation.

 

[2ffat]

This one is a bear. From 7:00 am to 8:00 am EDT we received 12 e-mails with this virus. Since then I've lost count of how many times it's been sent to us. I've looked at the e-mails' headers and there doesn't seem to be any rhyme or reason as to who is sending us this. They seems to be coming from all over the map.


James P. Cottingham

When a man sits with a pretty girl for an hour, it seems like a minute. But let him sit on a hot stove for a minute and it's longer than any hour. That's relativity.
[tab][tab]Albert Einstein explaining his Theory of Relativity to a group of journalists.

 

[pixboy]

If you want to catch these, and can scan the message headers on the way in, look for this in the Content-Type line:

Unique_Boundary

Whoever wrote the virus didn't bother trying to randomize that part. It's been consistent for every one I've seen.

Such as this:

Status: U
Return-Path: <SOME.POOR.SLOB@SOME.DOMAIN.COM>
Received: from FORGED_MACHINE_NAME ([11.11.11.11]) by my.mail.com
          (Netscape Messaging Server 3.6)  with SMTP id AAA804
          for <VICTIM@THAT.DOMAIN.COM>; Wed, 21 May 2003 11:48:50 -0400
Date: 11:48:50 AM, 5/21/03
From: SOME.POOR.SLOB <SOME.POOR.SLOB@SOME.DOMAIN.COM>
To: <VICTIM@THAT.COMAIN.COM>
Subject: Yo, WASSUP, B?
MIME-Version: 1.0

Content-Type: multipart/mixed;
      boundary="Unique_Boundary"

Message-ID: <7764265312EE.AAA804@my.mail.com>

Hope this helps ...

 

[support66]

Without being an advertizer I wil write down my experience on such worm breakdowns. I use AV on my email gateway for 1000 end users. As soon as read on my AV provider about the worm breakdown..my gateway system has got download automatically virus definitions and immediately stops the worm breakdown...Well Greece as far as I can feel has not been hit so much about this worm but we still got hits by Klez.H

Thanks