Win32:Fizzer

is an Internet worm which uses an e-mail and Kazaa P2P network to spread itself. It is quite complex and is about 200 kb long.The worm sends itself to contacts in the Microsoft Outlook, Windows address books and addresses found in the Internet files on the disk. It also sends itself to random email addresses at the following domains:
msn.com, hotmail.com, yahoo.com, aol.com, earthlink.net, gte.net, juno.com, netzero.com

The email subject line, message text and attachment name are randomly constructed and therefore are very variable. The attachments names have an extension of EXE, COM, PIF or SCR. The infected file could also have the double extension in combination with INI such is INI.EXE.

Win32:Fizzer contains two backdoors (IRC and AOL), a Denial of Service tool, a keylogger and even the small web server. It also has the automatic updating capabilities via Web server which is now closed.

When executed, Win32:Fizzer puts the following files to the Windows folder:
initbak.dat
iservc.dll
iservc.exe
ProgOp.exe

The worm also creates the following registry entry to execute itself on every reboot:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ SystemInit = %WINDOWS%\iservc.exe

The following entry is used to launch itself via special loader on opening text file:
HKCR\txtfile\shell\open\command= %WINDOWS%\ProgOp.exe 0 7 '%WINDOWS%\NOTEPAD.EXE %1' '%WINDOWS%\initbak.dat' '%WINDOWS%\ISERVC.EXE'File'

It tries to terminate several processes, namely some antivirus programs.

The worm has additional backdoor capabilities. It listens to specified ports for commands from a remote host (the hacker's computer). The worm can also start an HTTP server on port 81 to provide additional access to an infected computer. The worm can perform a DoS (Denial of Service) attack if it receives a specific command from a remote hacker.

Win32:Fizzer can uninstall itself if a file Uninstall.pky is found in the Windows main directory.

Any avast! with VPS file dated on or after 12th May 2003 is able to detect this worm.