PSS Security Response Team Alert - New Worm: W32.Fizzer.A@mm
SEVERITY: MODERATE
DATE: May 12, 2003
PRODUCTS AFFECTED: Microsoft Outlook, Microsoft Outlook Express, and Web-based e-mail
**********************************************************************
WHAT IS IT?
W32.Fizzer.A@mm is a mass-mailing worm. The Microsoft Product Support Services Security Team is issuing this alert to advise customers to be on the alert for this worm as it spreads in the wild. Customers are advised to review the information and take the appropriate action for their environments.
IMPACT OF ATTACK:
Mass-mailing, Termination of Antivirus Programs, Key Logger and Backdoor Placement
TECHNICAL DETAILS:
W32.Fizzer.A@mm is a new mass-mailer worm that also propagates through Peer to Peer file sharing applications. The below outlines, but is not limited to, actions that the worm takes:
| • | Copies itself in %windir% |
| • | Creates files in %windir%: backdoors and keylogger |
| • | Makes additions and modifies the registry |
| • | Ends AV services and applications |
| • | Goes into wait state for connections from remote systems |
| • | Captures keystrokes |
| • | Performs mass mailings |
While the subject line and body of the message vary substantially the payload for the worm is delivered as an attachment with one of the following four file extensions: .exe, .com, .pif, .scr. Customers are advised take precautions when opening e-mail messages that have attachments of those types.
For additional details on this worm please contact your preferred anti-virus vendor.
PREVENTION:
1) Block harmful attachment types at your Internet mail gateways.
2) Ensure the following prevention steps are taken:
Outlook 2000 post SP2 and Outlook XP SP1 include the most recent updates to improve the security in Outlook and other Microsoft Office programs. This includes the functionality to block potentially harmful attachment types. If you are running either of these versions, they will (by default) block the attachment, and you will be unable to open it.
To ensure you are using the latest version of Office click here:
http://office.microsoft.com/officeupdate/default.aspx
By default, Outlook 2000 pre-SR1 and Outlook 98 did not include this functionality, but it can be obtained by installing the Outlook E-mail Security Update. More information about the Outlook E-mail Security Update can be found here:
To find out what attachment types are blocked by Outlook please see this Microsoft Knowledgebase Article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;290497&sd=tech
Outlook Express 6 can be configured to block access to potentially-damaging attachments. Information about how to configure this can be found here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;291387&sd=tech
Outlook Express all other versions: Previous versions of Outlook Express do not contain attachment-blocking functionality. Please use extreme caution when you open unsolicited e-mail messages with attachments.
Web-based e-mail programs: Use of an application-level firewall can protect you from being infected with this virus through Web-based e-mail programs.
RECOVERY:
If your computer is infected with this virus, update your virus signature files to detect and remove the virus. Please contact Microsoft Product Support Services or your preferred antivirus vendor for assistance with removing it.
RELATED KB'S: (Available in 24 hours)
http://support.microsoft.com/default.aspx?scid=kb;en-us;821159&sd=tech
As always please make sure to use the latest Anti-Virus detection from your Anti-Virus vendor to detect new viruses and their variants.
If you have any questions regarding this alert please contact your Microsoft representative or 1-866-727-2338 (1-866-PCSafety) within the US, outside of the US please contact your local Microsoft Subsidiary.
PSS Security Response Team
