This policy detects the propagation of the W32.HLLW.Fizzer@mm worm.
W32.HLLW.Fizzer@mm is a mass-mailing worm that sends itself to all contacts in the Windows Address Book. It contains a backdoor that uses mIRC to communicate with a remote attacker. It also contains a keylogger and attempts to spread through the KaZaA file-sharing network. The worm attempts to terminate the process of various antivirus programs if they are found to be active.
NOTE: This policy only works if the instructions for configuration of filewatch have been implemented. These instructions are outlined below.
Download ITA W32_HLLW_Fizzer_Worm Policy
Windows 2000
This policy detects the creation of files associated with the W32.HLLW.Fizzer@mm Worm.
Policy rules include:
- W32_HLLW_Fizzer_Worm Activity
This rule detects the creation of files associated with the W32.HLLW.Fizzer@mm Worm.
- Browse to the system folder where the ITA agent is installed.
- Locate the ntcrit_S.lst file.
- Insert the following files to be monitored:
#windir\iservc.dll
#windir\iservc.dat
#windir\iservc.exe
#windir\ProgOp.exe
Last modified on: Tuesday, 13-May-03 23:28:06
| 
