P2P worm wreaks havoc among file swappers

13 May 2003

A new stealth worm that propagates itself by email and through use of peer-to-peer (P2P) file sharing service Kazaa has spread rapidly through the Far East and is understood to have arrived in Europe.

Code-named Fizzer, it has been given ‘high alert’ status by e-security firms including F-Secure and Trend Micro.

When activated, the worm sends itself to the email addresses stored in an infected PC’s Windows and Outlook address books. It drops several files into the Windows folder called Initback.dat, Iservc.dll, Iservc.exe and ProgOp.exe.

Users have been warned to be on the look out for emails, which arrive with a number of potential subject lines, which include: “Today is a good day to die; there is only one good, knowledge, and one evil, ignorance; watchin’ the game, having a bud; and did you ever stop to think that viruses are good for the economy?”

The Fizzer worm is understood to be more dangerous than previous worms because its malicious code contains key logging and Trojan Horse capabilities.

To spread via Kazaa, Fizzer creates multiple copies of itself under random names and places these files in the victim computer’s dedicated Kazaa file-sharing folder. By doing so, Fizzer becomes ‘available’ to all other network participants.

Fizzer carries a dangerous payload that can cause confidential data to be leaked from infected computers. The worm installs a keyboard-logging program that intercepts and records all keyboard strokes in a separate log file. To transmit this information, Fizzer loads a backdoor utility that allows crackers to control a computer via IRC channels.

Additionally, the worm regularly connects with a web page located on the Geocities server from which it attempts to download updated version of its executable modules.

By John Kennedy