Sounds Like the RIAA's Behind This One!!

This has me REALLY flaming!!

I really think that the RIAA is behind this worm, I mean...it's wierd when you see that,

"It should be noted that the worm uses its resource section to store its own text strings and additional files that it drops. This method is very rarely used by malicious programs."

and...

"The worm can spread itself in e-mails and in the Kazaa P2P (peer-to-peer) file-sharing network. The Fizzer worm contains a built-in IRC backdoor, a DoS (Denial of Service) attack tool, a data-stealing Trojan (uses external keylogger DLL), an HTTP server and other components. The worm has the functionality to kill the tasks of certain anti-virus programs. Additionally, the worm has automatic updating capabilities."

The above mentioned details of this worm are almost word-for-word what the RIAA has said that it wants to be able to do to people's computers to access data, delete files, knock you off the internet, etc. Correct me if I'm wrong there, but it sounds like an irrifutable coinsidence that they are the one's that created this worm and are using it right now. I know there's a way for knowledgable people to check a file/program like this and figure out who created it. If it indeed is them, then this is showing a new degree of their sickness to control everyone.

Well, RIAA...that's "HACKING" and let's see...hacking is now officially considered terrorism. So, what exactly does that make THEM!?!? The really irritating part of this is that if WE do that we're called "terrorists"...if THEY do it, the government pats them on the back and gives them an "atta-boy" for it. Positively Disgusting!


I've posted the text from the article, below. To see the article with pictures, go to:

http://www.europe.f-secure.com/v-descs/fizzer.shtml

Somebody needs to get to the bottom of this.

Boelcke
--------------------------------------------------------------------------

NAME: Fizzer
ALIAS: W32/Fizzer@MM, W32/Fizzer.A, Sparky



THIS VIRUS IS RANKED AS LEVEL 1 ALERT
UNDER F-SECURE RADAR.
For more information, see:
http://www.F-Secure.com/products/radar/


F-Secure is upgrading the Fizzer worm to Level 1 as this complex e-mail/p2p worm continues to spread rapidly. It is currently one of the most widespread viruses in the world.

Fizzer is a complex e-mail worm that appeared on May 8, 2003. The worm can spread itself in e-mails and in the Kazaa P2P (peer-to-peer) file-sharing network. The Fizzer worm contains a built-in IRC backdoor, a DoS (Denial of Service) attack tool, a data-stealing Trojan (uses external keylogger DLL), an HTTP server and other components. The worm has the functionality to kill the tasks of certain anti-virus programs. Additionally, the worm has automatic updating capabilities.

The Fizzer worm spreads in e-mails as an attachment with .EXE, .PIF, .SCR and .COM extensions. The worm randomly selects attachment names and message subjects and bodies from its internal lists. It collects e-mail addresses from Windows and Outlook Address Books on an infected computer and from different files on a hard disk.

F-Secure provides a special disinfection tool for the Fizzer worm. See the bottom of the page for more info.


Technical Description

The worm spreads its dropper as an e-mail attachment. When a user activates a dropper, it creates a file called ISERVC.EXE in a temporary folder and activates it. The ISERVC.EXE file is the main component of the worm. It copies itself to the Windows directory with the following names:


ISERVC.EXE
INITBAK.DAT

Then it drops 2 more files in the Windows directory:


ISERVC.DLL
PROGOP.EXE

The ISERVC.DLL file is a key-logging component and the PROGOP.EXE file is a pure dropper code. Before sending itself out, the worm re-assembles its file using this dropper.

The ISERVC.EXE file contains the 'Sparky will reign.' string in its header, as shown in the screenshot:



It should be noted that the worm uses its resource section to store its own text strings and additional files that it drops. This method is very rarely used by malicious programs.

The worm creates a startup key for its main component in System Registry:


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run]
"SystemInit" = "%windir%\iservc.exe]

where %windir% is the Windows main directory. As a result, the main file of the worm is activated for each Windows session.

Additionally, the worm modifies the text file startup string:


[HKEY_CLASSES_ROOT\txtfile\shell\open\command]


@ = "%windir%\ProgOp.exe 0 7 '%windir%\NOTEPAD.EXE %1'
'%windir%\initbak.dat' '%windir%\iservc.exe'

where %windir% is the Windows main directory.

The main file of the worm has 5 resources in its body. All resources except the first one are encrypted and compressed. The first resource is only compressed. The structure of the resources is the following:


- e-mail address list -
- progop.exe file -
- iservc.dll file -
- behaviour script -
- text strings -

The behaviour script contains major settings for the worm, such as its installation name and folder. This script also controls the worm's behaviour in certain conditions. For example, when the date changes the worm logs out from IRC, waits for some time and then logs back in.



Spreading in e-mails

The Fizzer worm collects e-mail addresses from Windows and Outlook Address Books on an infected computer and from different files in personal folders, cookie folders, the recently opened files folder and Internet cache directories.

The worm fakes sender's e-mail address in infected messages. It randomly composes fake addresses from its internal lists which are quite big. The fake sender's e-mail address may contain a name (taken from internal list, for example 'Rebecca'), a random number and one of these domains:


msn.com
hotmail.com
yahoo.com
aol.com
earthlink.net
gte.net
juno.com
netzero.com

The worm sends itself in e-mail messages to all the addresses it finds. The worm randomly selects subjects, bodies and attachment names from its large internal lists. The worm can use the names of innocent files from an infected system's hard disk for its attachment. Attachment extensions can be either .EXE, .PIF, .SCR or .COM. The worm fakes sender's e-mail address. Here is an example of what an infected e-mail message might look like:

Subject:

I thought this was interesting...

Body:

If you don't like it, just delete it.

Attachment:

Jesus123.exe


The worm can also use German strings to compose e-mail messages.



Spreading in Kazaa P2P networks

The worm is capable of spreading itself in Kazaa P2P (peer-to-peer) file sharing networks. The Fizzer worm locates the Kazaa shared folder on an infected computer and copies itself there with random names. Any person who connects to an infected computer and executes files downloaded from its shared folder becomes infected with the worm.



Keylogging trojan

The worm records users' keystrokes and writes them into an ISERVC.KLG file located in the Windows folder. This file can be picked by a hacker, so he can get access to users' login names and passwords as well as to their confidential data.



AOL backdoor

The worm connects to AOL server on port 5190 with a random user name creating a bot. A hacker can establish a connection to the bot and control the behaviour of the worm remotely.



IRC backdoor

The worm tries to connect to different IRC servers and create bots in a certain channels there. The author of the worm can use these bots to get limited access to infected systems. The worm has a long list of IRC servers in its resources. Here are some of the IRC server names that the worm uses:


irc.afternet.org
irc.dal.net
irc.eu.dal.net
irc.ablenet.org
irc.abovenet.org
irc.accessirc.net
irc.aceirc.net
irc.all-defiant.org
irc.allochat.net
irc.alphanine.net
irc.altnet.org
irc.amcool.net
irc.amiganet.org
irc.angeleyez.net
irc.aniverse.com
irc.another.net
irc.arabchat.org
irc.arabmirc.net
irc.astrolink.org
irc.asylum-net.org
irc.auirc.net
irc.aurosoniq.net
irc.auscape.org
irc.aussiechat.org
irc.awesomechat.net
irc.awesomechristians.com
irc.axenet.org
irc.aXpi.net
irc.ayna.org
irc.azzurra.org
irc.bahamutirc.net
irc.bappy.eu.org
irc.bdsm-net.com
irc.beyondirc.net



Additional backdoor capabilities

The worm has additional backdoor capabilities. It listens to ports 2018-2021 for commands from a remote host (the hacker's computer). The ports are used for the following purposes:

2018 - command port (sending/receiving commands)

2019 - file port (sending/receiving files)

2020 - console port (remote console)

2021 - video port (capturing video and sending it out)

The worm's author can access these ports with a specially made utility (client program of a backdoor), however the console port can be connected to with a Telnet application. A remote console gives a hacker access to an infected computer as if he was using it locally. Here's how the remote console looks like:



The worm can also start an HTTP server on port 81 to provide additional access to an infected computer. Here's a screenshot of the worm's HTTP server interface:





Payload

The worm has the ability to kill the tasks of certain anti-virus programs. It kills all processes with the following strings in their names:


NAV
SCAN
AVP
TASKM
VIRUS
F-PROT
VSHW
ANTIV
VSS
NMAIN

The worm can perform a DoS (Denial of Service) attack if it receives a specific command from a remote hacker.



Autoupdating feature

The worm has the ability to update itself from a web site. It connects to a web site, downloads an update and saves it as UPD.BIN file in the Windows main folder. However, the web site with the updates for the worm is no longer available.



Uninstallation feature

The current variant of the worm can uninstall itself if a file with the following name is found in the Windows main directory:


Uninstall.pky

When the worm finds a file with this name, it kills all its tasks and removes its registry keys thus disinfecting a system.



Manual disinfection instructions

To get rid of the worm, it is enough to delete its files from the Windows main directory and from the Kazaa shared folders. Please download and execute the following Registry patch:

ftp://ftp.europe.f-secure.com/anti-v...s/fix_fizz.reg

After applying the patch, restart your system. After the restart you can delete the following files from your Windows main directory manually:


ISERVC.DLL
PROGOP.EXE
ISERVC.EXE
INITBAK.DAT

If you are using F-Secure Anti-Virus, please scan all you hard disks after restarting your computer. FSAV version 5.40 and later will rename all the files of the Fizzer worm automatically. If you have FSAV 5.31 or an earlier version, please select "Rename" as the disinfection action.



Disinfection tool

F-Secure provides a special disinfection tool for the Fizzer worm. The tool can be downloaded freely from our ftp site:

ftp://ftp.europe.f-secure.com/anti-v...s/f-fizzer.zip

Disinfection instructions can be found here:

ftp://ftp.europe.f-secure.com/anti-v...s/f-fizzer.txt



Detection

F-Secure Anti-Virus detects Fizzer worm with the updates published on May 9th, 2003:

Version=2003-05-09_03

[Description: F-Secure Anti-Virus Research Team; May 9-15th, 2003]

[JackSpratts]

hi boelcke and welcome to the napsterites underground p2p-zone!

thanks for such a detailed post.

earlier today in congress an attorney for the riaa said "we would never do anything like that" when an attorney for kazaa accused the group of plotting just such an event. while anything is possible, it would be an extremely poor choice of action if they happened to get caught and we've seen that in many cases virus writers do get caught.

for what it's worth, fasttrack clients imesh and kazaa are now blocking the worm with their on-board virus protection, and experts are saying that the fizzer is quickly going flat.

- js.

[Ðiego]

Most Excellent (tm) first post


Ð

[multi]

yeh im suspect as hell on those nasty riaa bits of phlegm too...nothing would surprise me..what they would stoop to..

i wonder if there is a few others involved as well..


Fizzer could have been contained: MessageLabs

By Online Staff
May 16 2003

The Fizzer worm would not have had half the impact it has, if anti-virus companies had issued virus definitions for it as soon as they knew of its existence, according to a senior official from MessageLabs, an UK-based company which provides email security services.

The company's senior anti-virus technologist, Alex Shipp, said the worm was discovered on Wednesday, May 7, but anti-virus companies only issued updates for their software the following Monday (May 12).

By then the worm had started spreading rapidly and given that it is a complex worm, spreading through email and through the KaZaa P2P (peer-to-peer) file sharing network as well, it had become pretty widespread.

Fizzer is still spreading, though at a slower rate than it was a few days back.

Shipp said MessageLabs detected about 500 to 600 email-borne viruses and worms each year, with about two-fifths of these being variants of the other three-fifths.

from

welcome to the forum boelcke