Educause Security Discussion mailing list archives
FW: DHS Advisory 03-023 W32/Fizzer @MM Worm
From: "Bruhn, Mark S." <mbruhn () INDIANA EDU>
Date: Tue, 13 May 2003 11:29:05 -0500
In case you haven't seen this from other sources... M. -- Mark S. Bruhn, CISSP Chief IT Security and Policy Officer Interim Director, Research and Educational Networking Information Sharing and Analysis Center (ren-isac () iu edu) Office of the Vice President for Information Technology and CIO Indiana University 812-855-0326 *** Department of Homeland Security W32/Fizzer@MM Worm ADVISORY 03-023 13 May 2003 SYSTEMS AFFECTED Windows 95 Windows 98 Windows NT Windows 2000 Windows ME Windows XP OVERVIEW There is a mass-mailing worm that is delivered as an e-mail attachment. This worm arrives as an e-mail attachment and uses various common executable file extensions to install itself on local systems. The worm connects to various locations via Internet Relay Chat (IRC) connections and AOL Instant Messenger (AIM) connections to await instructions from a remote attacker. This worm is reported to contain a keystroke logger. This worm could be used as part of a botnet-controlled Denial-of-Service (DoS) against specific targets. IMPACT Given the widespread use of Windows OS-based systems within the government and the private sectors, a widespread propagation of this worm and its successful utilization in DoS attacks, the potential impact is high. DETAILS The "from" address in the infected e-mails can be forged, so that the actual sender is obscured and the e-mail appears to be from a familiar source. The subject line is also designed to entice the recipient to read the e-mail and execute the attachment, which will activate the virus on the local system. Examples of some of the "from" addresses and subject lines can be found at the URLs included below. The worm attachment uses various common executable extensions to install itself on the local system, once the recipient has opened the attachment. These extensions can include .com, .exe, .pif, and .scr. Delivery and propagation/replication methods of the infected attachments can include: 1) mass-mailing ability: a) MS Outlook Contacts lists; b) Windows Address Book (WAB); c) Addresses on local systems; d) Randomly-generated e-mail addresses; 2) Internet Relay Chat (IRC); 3) AOL Instant Messenger (AIM); 4) KaZaa file-sharing services (ftp). Components of the worm can include: 1) An SMTP engine; 2) HTTP services (via port 81); 3) Self-updating mechanisms (via the IRC functions noted); 4) Anti-virus software process terminations (to prevent detection/removal by AV services). Symptoms include but are not limited to: 1) Unexpected traffic on port 6667 (port use confirmed); additional IRC ports in 6660-6669 range possible (currently unconfirmed); 2) Unexpected traffic on port 5190 (AIM); 3) Unauthorized HTTP traffic on port 81. RECOMMENDATIONS/SOLUTIONS The DHS is working with other government agencies, network security experts, and industry representatives to define, prioritize, and mitigate these vulnerabilities. The DHS suggests that you implement industry "best practices." Additionally, manual removal instructions, current virus definitions, and updated information may be found at the following URLS: CERT-CC (Carnegie-Mellon University) - http://www.cert.org/current/current_activity.html#peido McAfee (W32/Fizzer@MM) - http://vil.nai.com/vil/content/v_100295.htm Symantec (W32.HLLW.Fizzer@mm) - http://www.symantec.com/avcenter/venc/data/w32.hllw.fizzer () mm html Trend Micro (Worm FIZZER.A) http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_FIZ ZER.A The DHS encourages individuals to report information concerning suspicious or criminal activity to a Homeland Security watch office. Individuals may report incidents online at http://nipc.gov/incident/cirr.html , and Federal agencies/departments may report incidents online at http://www.fedcirc.gov/reportform.html. Contact number for the IAIP watch centers are: for private citizens and companies, (202) 323-3205, 1-888-585-9078, or nipc.watch () fbi gov; for the telecom industry, (703) 607-4950 or ncs () ncs gov; and for Federal agencies/departments, 1 (888) 282-0870 or fedcirc () fedcirc gov. The DHS intends to update this advisory should it receive additional relevant information, including information provided to it by the user community. No change to the Homeland Security Advisor Level of YELLOW is anticipated at this time. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- FW: DHS Advisory 03-023 W32/Fizzer @MM Worm Bruhn, Mark S. (May 13)