Rubrik: Virenwarnung/Aktuelle Meldungen

Central Command: Virus Infection Reports for the New Internet Worm/Fizza.A

Worm Spreads Through e-mail by Using Addresses It Collects in the Microsoft Outlook Address Book

(20.05.03) - The Central Command Emergency Virus Response Team has received virus infection reports for the new Internet Worm/Fizza.A. Due to increased customer inquires and infection reports the EVRT is issuing a VIRUS ALERT:

Anzeige

http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_adp.php?p_refno=030509-000019 .

Details:

Name: Worm/Fizzu.A

Alias: W32/Fizzer.A-mm

Type: Internet Worm

Discovered: May 8, 2003

Size: 220.160KB

Platform: Microsoft Windows 9x/ME/NT/2000/XP

Description:

Worm/Fizzu.A is an Internet worm that spreads through e-mail by using addresses it collects in the Microsoft Outlook Address Book, as well as, in the Windows Address Book. It can also arrive through the file-sharing program Kazaa.

The worm may arrive in via email in the following format: 

(Please note that received emails will all have different contents. The attachment name, subject line and body are built from a large list of English and German words.)

Subject: Re: You might not appreciate this...

Body: There is only good, knowledgem, and one evil, ignorance

Attachment: Service.scr 

or

Subject: Why?

Body: I sent this program (Sparky) from anonymous places on the net

Attachment: Desktop.scr

If executed, the worm copies itself in the /windows/ directory under the filenames "INITBAK.DAT" and "ISERVC.EXE". Additionally, it creates the following new files in the Windows directory, "ISERVC.DLL" (7.680 KB) and "PROGOP.EX"E (15.360 KB) 

So that it gets run each time a user restart their computer the following registry key gets added:

-          HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run"SystemInit"="

-          C://WINDOWS//ISERVC.EXE"

Then, the following registry key is modified so that it gets executed each time a text file is ran:

-          HKEY_CLASSES_ROOT/txtfile/shell/open/command@="C://WINDOWS//ProgOp.exe 0 7 'C://WINDOWS//NOTEPAD.EXE %1' 'C://WINDOWS//initbak.dat' 'C://WINDOWS//ISERVC.EXE'"

Worm/Fizzu.A has been seen to terminate applications with the following process names:

·         NAV

·         SCAN

·         AVP

·         TASKM

·         VIRUS

·         f-prot

·         VSHW

·         ANTIV

·         VSS

·         NMAIN

It also has the ability to log keystrokes. (ma)

Central Command Inc.

Contact: Steven Sundermeier, Product Manager

Tel. (001-330) 723-2062 x204, Fax (001-330) 722-6517

E-Mail: ssundermeier@centralcommand.com

Web: www.centralcommand.com

Diesen Beitrag per E-Mail versenden Diesen Beitrag ausdrucken