Virus Detected
Created 5/20/03
Impact
There is evidence that the system has been infected with
a virus. Files or system information may have
been transmitted to remote parties, unauthorized file
modifications may have taken place, and backdoors allowing
unauthorized access may be present. Furthermore,
the system could be used as a potential launching
point for further propogation of the virus across the
network.
Background
A virus
is a self-replicating program designed to spread itself
across a network. A computer can become infected with a virus
when a user unknowingly installs it, usually by opening an
untrustworthy e-mail attachment. Once installed, the virus
takes some action to help itself propogate, and may take
other actions, which are often harmless but sometimes malicious.
The Problems
Fizzer
5/20/03
The Fizzer worm spreads itself through e-mail attachments and through
Kazaa peer-to-peer file sharing networks. Once activated, it
takes the following actions on the victim's computer:
- Creates the files ISERVC.EXE,
INITBAK.DAT, ISERVC.DLL,
and PROGOP.EXE in the Windows directory.
- Modifies the registry to run itself for each Windows
session and whenever a text file is opened.
- E-mails itself to every address it finds in the address
book and on the hard drive.
- Copies itself to the Kazaa shared folder, if present, so
it will infect any computer which downloads and executes files from it.
- Records keystrokes in the ISERVC.KLG file.
- Creates a bot on an AOL server and various IRC servers, thus allowing remote control of the virus.
- Creates backdoors on TCP ports 2018 through 2021. Port 2020 is a console service,
which can allow complete control of the computer using only
a telnet client. Access to the other ports would require
special client software.
- Starts a web server on port 81 for remote access.
- Disables anti-virus software.
Resolution
Fizzer:
Follow the removal instructions included in the McAfee
Virus Profile.
Where can I read more about this?
More information on the Fizzer virus is available from
F-Secure and
Symantec.