Tutorial - Virus Detected

Virus Detected

Created 5/20/03

Impact

There is evidence that the system has been infected with a virus. Files or system information may have been transmitted to remote parties, unauthorized file modifications may have taken place, and backdoors allowing unauthorized access may be present. Furthermore, the system could be used as a potential launching point for further propogation of the virus across the network.

Background

A virus is a self-replicating program designed to spread itself across a network. A computer can become infected with a virus when a user unknowingly installs it, usually by opening an untrustworthy e-mail attachment. Once installed, the virus takes some action to help itself propogate, and may take other actions, which are often harmless but sometimes malicious.

The Problems

Fizzer

5/20/03
The Fizzer worm spreads itself through e-mail attachments and through Kazaa peer-to-peer file sharing networks. Once activated, it takes the following actions on the victim's computer:

Creates the files ISERVC.EXE, INITBAK.DAT, ISERVC.DLL, and PROGOP.EXE in the Windows directory.
Modifies the registry to run itself for each Windows session and whenever a text file is opened.
E-mails itself to every address it finds in the address book and on the hard drive.
Copies itself to the Kazaa shared folder, if present, so it will infect any computer which downloads and executes files from it.
Records keystrokes in the ISERVC.KLG file.
Creates a bot on an AOL server and various IRC servers, thus allowing remote control of the virus.
Creates backdoors on TCP ports 2018 through 2021. Port 2020 is a console service, which can allow complete control of the computer using only a telnet client. Access to the other ports would require special client software.
Starts a web server on port 81 for remote access.
Disables anti-virus software.

Resolution

Fizzer:
Follow the removal instructions included in the McAfee Virus Profile.

Where can I read more about this?

More information on the Fizzer virus is available from F-Secure and Symantec.