FW: DHS Advisory 03-023 W32/Fizzer @MM Worm

["Bruhn, Mark S." <mbruhn () INDIANA EDU>]

In case you haven't seen this from other sources...
M.

-- 
Mark S. Bruhn, CISSP

Chief IT Security and Policy Officer
Interim Director, Research and Educational Networking Information
Sharing and Analysis Center (ren-isac () iu edu)

Office of the Vice President for Information Technology and CIO
Indiana University
812-855-0326


***

Department of Homeland Security

W32/Fizzer@MM Worm

ADVISORY  03-023 

                      13 May 2003

SYSTEMS AFFECTED

                Windows 95                      Windows 98
                Windows NT                      Windows 2000
                Windows ME                      Windows XP

OVERVIEW

There is a mass-mailing worm that is delivered as an e-mail attachment.
This worm arrives as an e-mail attachment and uses various common
executable file extensions to install itself on local systems.  The worm
connects to various locations via Internet Relay Chat (IRC) connections
and AOL Instant Messenger (AIM) connections to await instructions from a
remote attacker.  This worm is reported to contain a keystroke logger.
This worm could be used as part of a botnet-controlled Denial-of-Service
(DoS) against specific targets.

IMPACT

Given the widespread use of Windows OS-based systems within the
government and the private sectors, a widespread propagation of this
worm and its successful utilization in DoS attacks, the potential impact
is high.

DETAILS

The "from" address in the infected e-mails can be forged, so that the
actual sender is obscured and the e-mail appears to be from a familiar
source.  The subject line is also designed to entice the recipient to
read the e-mail and execute the attachment, which will activate the
virus on the local system.  Examples of some of the "from" addresses and
subject lines can be found at the URLs included below.

The worm attachment uses various common executable extensions to install
itself on the local system, once the recipient has opened the
attachment.  These extensions can include .com, .exe, .pif, and .scr.

Delivery and propagation/replication methods of the infected attachments
can include:

1)  mass-mailing ability:
a)      MS Outlook Contacts lists;
b)      Windows Address Book (WAB);
c)      Addresses on local systems;
d)      Randomly-generated e-mail addresses;
2)  Internet Relay Chat (IRC);
3)  AOL Instant Messenger (AIM);
4)  KaZaa file-sharing services (ftp).

Components of the worm can include:

1)      An SMTP engine;
2)      HTTP services (via port 81);
3)      Self-updating mechanisms (via the IRC functions noted);
4)      Anti-virus software process terminations (to prevent
detection/removal by AV services).

Symptoms include but are not limited to:

1)      Unexpected traffic on port 6667 (port use confirmed); additional
IRC ports in 6660-6669 range possible (currently unconfirmed);
2)      Unexpected traffic on port 5190 (AIM);
3)      Unauthorized HTTP traffic on port 81.


RECOMMENDATIONS/SOLUTIONS

The DHS is working with other government agencies, network security
experts, and industry representatives to define, prioritize, and
mitigate these vulnerabilities.  The DHS suggests that you implement
industry "best practices."  Additionally, manual removal instructions,
current virus definitions, and updated information may be found at the
following URLS:

CERT-CC (Carnegie-Mellon University) -
http://www.cert.org/current/current_activity.html#peido

McAfee (W32/Fizzer@MM)   - 
http://vil.nai.com/vil/content/v_100295.htm 

Symantec (W32.HLLW.Fizzer@mm) -
http://www.symantec.com/avcenter/venc/data/w32.hllw.fizzer () mm html

Trend Micro (Worm FIZZER.A)
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_FIZ
ZER.A

The DHS encourages individuals to report information concerning
suspicious or criminal activity to a Homeland Security watch office.
Individuals may report incidents online at
http://nipc.gov/incident/cirr.html , and Federal agencies/departments
may report incidents online at http://www.fedcirc.gov/reportform.html.
Contact number for the IAIP watch centers are:  for private citizens and
companies, (202) 323-3205, 1-888-585-9078, or nipc.watch () fbi gov; for
the telecom industry, (703) 607-4950 or ncs () ncs gov; and for Federal
agencies/departments, 1 (888) 282-0870 or fedcirc () fedcirc gov.

The DHS intends to update this advisory should it receive additional
relevant information, including information provided to it by the user
community.  No change to the Homeland Security Advisor Level of YELLOW
is anticipated at this time.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.