Just got this in the mail from my ISP:
"Dear Customer,
The Department for Homeland Security has released the
following statement about a new and potentially dangerous
computer virus. We ask that you please take them time to
make sure that your computers anti-virus software is up to
date. The following is taken from an email sent to us from
the Department of Homeland Security.
Department of Homeland Security - ADVISORY 03-023
W32/Fizzer@MM Worm
13 May 2003
SYSTEMS AFFECTED
Windows 95 Windows 98
Windows NT Windows 2000
Windows ME Windows XP
OVERVIEW
There is a mass-mailing worm that is delivered as an e-mail
attachment. This worm arrives as an e-mail attachment and uses
various common executable file extensions to install itself on
local systems. The worm connects to various locations via Internet Relay Chat (IRC) connections and AOL Instant Messenger
(AIM) connections to await instructions from a remote attacker. This worm is reported to contain a keystroke logger. This worm could be used as part of a botnet-controlled Denial-of-Service
(DoS) against specific targets.
IMPACT
Given the widespread use of Windows OS-based systems within the
government and the private sectors, a widespread propagation of
this worm and its successful utilization in DoS attacks, the
potential impact is high.
DETAILS
The "from" address in the infected e-mails can be forged, so that
the actual sender is obscured and the e-mail appears to be from a
familiar source. The subject line is also designed to entice the
recipient to read the e-mail and execute the attachment, which will
activate the virus on the local system. Examples of some of the
"from" addresses and subject lines can be found at the URLs included
below.
The worm attachment uses various common executable extensions to
install itself on the local system, once the recipient has opened
the attachment. These extensions can include .com, .exe, .pif,
and .scr. Delivery and propagation/replication methods of the
infected attachments can include:
1) mass-mailing ability:
a) MS Outlook Contacts lists;
b) Windows Address Book (WAB);
c) Addresses on local systems;
d) Randomly-generated e-mail addresses;
2) Internet Relay Chat (IRC);
3) AOL Instant Messenger (AIM);
4) KaZaa file-sharing services (ftp).
Components of the worm can include:
1) An SMTP engine;
2) HTTP services (via port 81);
3) Self-updating mechanisms (via the IRC functions noted);
4) Anti-virus software process terminations (to prevent
detection/removal by AV services).
Symptoms include but are not limited to:
1) Unexpected traffic on port 6667 (port use confirmed);
additional IRC ports in 6660-6669 range possible
(currently unconfirmed);
2) Unexpected traffic on port 5190 (AIM);
3) Unauthorized HTTP traffic on port 81.
RECOMMENDATIONS/SOLUTIONS
The DHS is working with other government agencies, network
security experts, and industry representatives to define,
prioritize, and mitigate these vulnerabilities. The DHS
suggests that you implement industry "best practices."
Additionally, manual removal instructions, current virus definitions, and updated information may be found at the
following URLS:
CERT-CC (Carnegie-Mellon University) - http://www.cert.org/current/current_activity.html#peido
McAfee (W32/Fizzer@MM) - http://vil.nai.com/vil/content/v_100295.htm
Symantec (W32.HLLW.Fizzer@mm) - http://www.symantec.com/avcenter/venc/d ... er@mm.html
The DHS encourages individuals to report information
concerning suspicious or criminal activity to a Homeland
Security watch office. Individuals may report incidents
online at http://nipc.gov/incident/cirr.html , and Federal agencies/departments may report incidents online at http://www.fedcirc.gov/reportform.html. Contact number for
the IAIP watch centers are: for private citizens and companies,
(202) 323-3205, 1-888-585-9078, or nipc.watch@fbi.gov; for the
telecom industry, (703) 607-4950 or ncs@ncs.gov; and for Federal
agencies/departments, 1 (888) 282-0870 or fedcirc@fedcirc.gov.
If you have any questions feel free to contact your local office.
Thanks,
Insight Communications"
