A very clever mass-mailing worm is spreading rapidly across the Internet

Fizzer (w32.fizzer@mm) has many different components, each timed to trigger different processes, making it quite difficult to contain.

The worm spreads via e-mail and includes its own SMTP engine to bypass any security your e-mail client may have. Fizzer also spreads via Kazaa, a popular file-sharing application.
The worm establishes its own accounts on Internet Relay Chat (IRC) and AOL Instant Messenger, in order to await further instructions from the virus author.

Fizzer attempts to disable any antivirus program running at the time of infection. Systems infected with Fizzer could be used in distributed denial-of-service (DDoS) attacks on other computers.

Fizzer includes a keystroke-logging Trojan horse, which can be used to steal passwords words and credit card information.

Because Fizzer spreads via e-mail and Kazaa, contains a keystroke-logging Trojan horse, and could be used in a DDoS attack, this worm rates a 7 on the ZDNet Virus Meter.

How it works
Fizzer arrives as e-mail with several possible subject lines and body texts. The From: address can be forged and therefore should not be trusted. Fizzer’s attached files contain one of the following extensions: .com, .exe, .pif and .scr.

If a user opens the attached file or otherwise activates the worm, three files are added to the Windows directory:

initbak.dat, which is a copy of the worm
iservc.exe, which is a copy of the worm
iservc.dll, which contains the keystroke logging Trojan

According to McAfee, Fizzer modifies the system Registry in the following ways:

Hkey_local_machine\Software\Microsoft\Windows\CurrentVersion\ Run “SystemInit” = C:\Windows\iservc.exe

Hkey_classes_root xtfile\shell\open\command “(Default)” = C:\Windows\progop.exe 0 7 ‘C:\Windows\Notepad.exe %1’ ‘C:\Windows\initbak.dat’ ‘C:\Windows\iservc.exe’


On Windows NT, 2000, and XP systems, Fizzer also creates a service named S1Trace.

This worm listens for external Internet traffic in various ways. Signs of infection include unexpected traffic on port 6667 (IRC) and 5190 (AIM).

Most antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, F-Secure, McAfee, MessageLabs, Sophos, Symantec, or Trend Micro.


The virus is spred in Europe !
And I hope I will not get this virus :tb:

Hey BB thanks for the heads-up! :slight_smile:

I appreciate it.

No problem !

thanks for letting us know… :slight_smile:

opens norton

LoL. thanks for the heads up. i will keep my eyes open for when i check my mail. =)

cheers m8

i got a feckin virus 2 day and good old kaspersky kicked its butt 4 me…

funkin barstewards that they r…

they r a pain in the jacksie and not only waste your time…

but cause you 2 stress out coz u think OMG…OMG…

i lost a lot of work last year bcoz of one…

but its ok since it was backed up…

the pain was having to format a pc…

and go through the installation process which eats up so much of your time when you have to reconfigure progs etc…

thanxx 4 the warning…

he thx! Friggin viruses! haven’t ppl got anything else to do (like flash) than making viruses? :slight_smile: