W32.HLLW.Fizzer@mm Worm

1
W32.HLLW.Fizzer_at_mm Worm

• Shawn P. Loveric
• CIS 600 Mobile Code Security
• Dr. Leonard Popyack
• 21 July 2003

2
Agenda

• Background
• Worm Overview
• Threat Assessment
• The Details
• Detection/Cleanup
• Wrap Up
• Questions
• References

3
Background

• E-mail/P2P Worm
• Infects Win9x, ME, NT, 2K, XP
• Discovered on May 8, 2003
• Currently one of the most widespread worms

4
Worm Overview

• PE Format executable
• Infections Length 241,664 bytes
• Can spread via email or by Kazaa shares
• Contains IRC backdoor, DoS attack tool, data
  stealing Trojan, and a HTTP server

5
Threat Assessment

• Number of infections More than 1000
• Number of Sites More than 10
• Geographical distribution Medium
• Threat containment Moderate
• Removal Moderate

6
The Details (1 of 11)

• Spreads droppers via e-mail as a randomly
  generated .EXE, .PIF, .SCR, or .COM file
• Once activated it creates the file ISERVC.EXE in
  a temp dir
• This is the main component
• Copies itself to the Windows dir as ISERVC.EXE
  INITBAK.DAT

7
The Details (2 of 11)

• Also drops ISERVC.DLL and PROGOP.EXE into the
  Windows dir
• ISERVC.DLL file is a key-logging component
• PROGOP.EXE file is a pure dropper code
• Before sending itself out, the worm re-assembles
  its file using this dropper

8
The Details (3 of 11)

• ISERVC.EXE file contains 'Sparky will reign in
  the PE header

9
The Details (4 of 11)

• Fizzer uses it resource section to store
  additional strings and settings
• This is not normal for MMC
• The resource sections contains
• e-mail address list
• progop.exe file
• iservc.dll file
• behavior script
• text strings
• All resources are encrypted and compressed
• Creates a mutex called SparkyMutex to limit one
  worm per machine

10
The Details (5 of 11)

• Creates the start up key
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu
  rrentVersion\Run "SystemInit"
  "windir\iservc.exe
• Also modifies text file associations
• HKEY_CLASSES_ROOT\txtfile\shell\open\command_at_
  "windir\ProgOp.exe 0 7 'windir\NOTEPAD.EXE
  1' 'windir\initbak.dat' 'windir\iservc.exe'

11
The Details (6 of 11)

• E-mail addresses are collected from
• Windows and Outlook Address Books
• Personal folders
• Cookie folders
• MRU files folder
• Internet cache directories
• Fake sender addresses are composed from
• A name from internal list
• A random number
• One of these domains
• msn.com hotmail.com yahoo.com aol.com
  earthlink.net gte.net juno.com netzero.com

12
The Details (7 of 11)

• E-mail subjects, bodies are randomly selected
  from internal lists
• Attachments file named are taken from filenames
  on disc
• Message example
• Subject I thought this was interesting...
• Body If you don't like it, just delete it.
• Attachment Jesus123.exe

13
The Details (8 of 11)

• Also copies itself to the Kazaa shared folder
  under several different names
• Keylogger logs data to ISERVC.KLG in the Windows
  dir
• Connects to an AOL server on port 5190 and
  creates a bot so the worm can be controlled
  remotely
• Does the same via IRC

14
The Details (9 of 11)

• Also contains backdoors on ports
• 2018 - command port (sending/receiving commands)
• 2019 - file port (sending/receiving files)
• 2020 - console port (remote console)
• 2021 - video port (capturing video and sending it
  out)
• Can also start a HTTP server on port 81

15
The Details (10 of 11)
16
The Details (11 of 11)

• Kills all processes with the following strings
• NAV
• SCAN
• AVP
• TASKM
• VIRUS
• F-PROT
• VSHW
• ANTIV
• VSS
• NMAIN
• Can update itself via a website at geocities
• Can also uninstall itself if Uninstall.pky is in
  the Windows dir

17
Detection/Cleanup

• Most vendors have signatures for Fizzer
• Can also remove with these products
• Manual clean up can be accomplished by
• Deleting all Fizzer files from Windows dir
• Removing entries from the registry

18
Wrap Up

• Pretty bad ass MMC
• Lots of functionality for its size

19
Questions

• Anyone?...Anyone?...

20
References

• http//www.symantec.com/avcenter/venc/data/w32.hll
  w.fizzer_at_mm.html
• http//www.f-secure.com/v-descs/fizzer.shtml
• http//www.entercomp.com/W32HLLWFizzer.htm