Related Resources • Virus Encyclopedia • Glossary of terms

Elsewhere on the Web • F-Secure Description • Free Removal Tool

Discovered on May 08, 2003, Fizzer (a.k.a. W32/Fizzer@MM, W32/Fizzer.A, and Worm/Fizzu.A worm) spreads via email and the KaZaA P2P network. According to antivirus vendor F-Secure, Fizzer contains a built-in IRC backdoor, a DoS (Denial of Service) attack tool, a data stealing trojan, an HTTP server and autoupdating capabilities. The worm also has the ability to disable certain antivirus programs. "This is one of the more complicated worms we've seen", comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure. "The worm is 200kB of code spaghetti, containing backdoors, code droppers, attack agents, key loggers and even a small web server!"

Fizzer culls addresses from both the Windows and Outlook Address Book and also uses random Yahoo and Hotmail addresses. "Fizzer actually creates random e-mail addresses and targets them", explains Hypponen. "This is done by picking random names and numbers and creating addresses belonging to large services such as Hotmail - these addresses might look like BOB246@MSN.COM or JACK555@YAHOO.COM."

The email message composed by Fizzer is randomly derived from a long list of internal selections and may appear in either English or German. The email attachment will also be randomly named, but will have either a .COM, .EXE, .PIF, or .SCR extension.

Fizzer also targets the KaZaA P2P (peer to peer) network, copying itself to the KaZaA shared folder under a variety of filenames. KaZaA participants who download from the shared folder on an infected machine risk receiving the infected files.

The Fizzer worm kills processes which have NAV, SCAN, AVP, TASKM, VIRUS, F-PROT, VSHW, ANTIV, VSS, or NMAIN in their name. This action disables certain antivirus tasks or programs. Affected products include the popular Norton Antivirus and McAfee VirusScan software.

Fizzer also installs a keylogging Trojan that records keystrokes to a log file which can then be retrieved through a backdoor utility also installed by Fizzer. The backdoor is accessible via IRC channels, HTTP, and Telenet. Fizzer auomatically updates itself, thus additional functionality may be added or changes made which can affect the working of the worm.

Manual Detection and Removal of Fizzer
The following instructions involve modifying the System Registry. Improperly editing the system registry can adversely affect the operating system.

Antivirus vendor BitDefender provides a free removal tool for Fizzer, available at http://www.bitdefender.com/html/free_tools.php. The tool is available in English, Spanish, and German.

If you prefer to remove Fizzer manually, begin by searching the System Registry for the following:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"SystemInit" = "C:\Windows\iservc.exe"

HKEY_CLASSES_ROOT\txtfile\shell\open\command
(Default) = "C:\Windows\ProgOp.exe 0 7 'C:\Windows\NOTEPAD.EXE %1' 'C:\Windows\initbak.dat' 'C:\Windows\ISERVC.EXE'

F-Secure provides a free tool to remove the registry edits made by Fizzer:
ftp://ftp.europe.f-secure.com/anti-virus/tools/fix_fizz.reg

After correcting the registry, reboot the system. Search the Windows directory for the following files and delete them:

INITBAK.DAT
ISERVC.EXE
ISERVC.DLL
PROGOP.EXE

If you use KaZaA, you can expect a large number of files in your shared KaZaA folder to be copies of the worm. Scan the system with updated antivirus software to remove any further instances of Fizzer.