Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: Fizzer Virus / Backdoor SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Fizzer Virus / Backdoor
A new mass mailing virus, currently labeled "Win32.Fizzer.A" is spreading for the last few days. The payload of this virus contains a few interesting features:

- In addition to e-mail, the virus uses the P2P system Kazaa to spread.

- it will try to terminate anti virus scanners.

- The virus includes a key stroke logger

- In addition to permitting remote control via AOL Instant Messenger or IRC.

The IRC component is in particular interesting. It includes a long list of
IRC servers. The infected system will join a password protected channel on one
of these systems to wait for commands.

"Fizzer" attempts to hide its bot-nature in this IRC channel, by using regular
looking name. Occasionally, the bots will "chat" by sending a random string to the channel.

A summary from an IRC operator's perspective can be found in this mailing list

Counter Measures:

Current Anti Virus filters will detect 'Fizzer'. Stripping executable attachments will work as well.


The virus will create the files "iservc.exe" and "initbak.dat" in the infected machine's Windows directory. See the Anti Virus vendor links below for a more complete list.


According to BullGuard antivirus, create an empty file 'UNINSTALL.PKY' in your Windows folder, wait one minute and then delete the file progOp.exe from the Windows folder.
More details:

please send any observations to


76 Posts
May 15th 2003

Sign Up for Free or Log In to start participating in the conversation!