===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                        AL-2003.07 -- AUSCERT ALERT
                     "Fizzer" Worm Increased Activity
                                13 May 2003

===========================================================================

AusCERT is currently monitoring a malicious new email worm. Dubbed
"Fizzer", this virus spreads via e-mail and the Kazaa peer-to-peer
filesharing network. Although this program has been in existence since 7
May, the rate of infection has recently increased, with major anti-virus
vendors rating its severity as high.

"Fizzer" has several attack vectors including the installation of
backdoors for IRC and other protocols, a DoS (Denial of Service) attack
tool and a keylogging trojan that captures user passwords and other
information to a local file for later use by an attacker. Similar to other
advanced worms, this program also has an auto-updating capability.
Additionally, it attempts to halt anti-virus processes on an infected
machine.

Infected email messages will have the worm attached with any of .exe,
.pif, .scr and .com extensions. The attachment name, subject and body of
the e-mail message are created at random. E-mail addresses are collected
by the worm from the Microsoft Windows and Outlook address books and from
other files containing addresses that the worm is able to find on an
infected machine.

AusCERT advises users to follow as many of the following steps as
practicable for their situation:

        o Install security related patches for vulnerable operating
          systems and software.

        o Install and maintain current anti-virus software.

        o Block unneeded services, ports, and protocols at the border
          internet gateway.

        o Install host-based firewall software, preferably with the
          ability to provide MD5 or similar checksums against applications
          which request communication channels.

More information about the "Fizzer" worm is available from these sites:

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.fizzer@mm.html
http://www.f-secure.com/v-descs/fizzer.shtml
http://vil.mcafee.com/dispVirus.asp?virus_k=100295
http://www.messagelabs.com/viruseye/info/default.asp?virusname=W32/Fizzer.A
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_FIZZER.A&VSect=T
http://www3.ca.com/virusinfo/virus.aspx?ID=35131
- ---------------------------------------------------------------------------

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this
document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Email:   auscert@auscert.org.au
Web:     www.auscert.org.au

Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA
===========================================================================