Fizzer Worm Uninstalling Itself

boredMDer writes "According to a recent update on the Dshield.org mailing list, apparently the Fizzer Task Force has gained control of the Geocities webpage from which Fizzer updates itself. From an IRC-Security mailing list: 'We have also postted a Fizzer cleaner to the actual URL that the bot downloads its updates from, as a self extracting and running executable.' The Fizzer-uninstaller posted there creates the file '%WinDir%\uninstall.pky', which then causes Fizzer to remove all of its registry keys. Looks like the Fizzer worm will soon come to an end."

Full Text of Article

[insomnike]

Just a quick note to say that we (we as in Fizzer Task Force/IRC Unity)
now control the update page, and have posted a mirror of the
http://www.debugoutput.com/fizzer.php site on the geocities website that
fizzer uses to update itself.

We have also postted a fizzer cleaner to the actual URL that the bot
downloads its updates from, as a self extracting and running executable.
We're crossing our fingers that the bots are looking for an executable
to update themselves..

We'll keep you updated..

Regards,

--
John McGarrigle
IC5 Networks

Re:Huh?

[Albanach]

Not really, the worm initiated the connection from the user's machine, downloaded the software and executed it - it was pulled by the client not pushed by the server. So they don't run any software on people's computers, just some people have installed (intentionally or otherwise) a program that chooses to download and run this executable.

Fact Checking

[Brightest+Light]

Nicely done, Slashdot!

Had anybody bothered following the link to the geocities page before posting the story, they would have seen that the file was "removed for the time being, until further testing on Fizzer's update routine can be done." There has been a great deal of argument in #fizzer as to the legality of such things, and I do not believe that the Fizzer Task Force as a whole decided to do anything of that sort.