Fizzer Worm Uninstalling Itself

boredMDer writes "According to a recent update on the Dshield.org mailing list, apparently the Fizzer Task Force has gained control of the Geocities webpage from which Fizzer updates itself. From an IRC-Security mailing list: 'We have also postted a Fizzer cleaner to the actual URL that the bot downloads its updates from, as a self extracting and running executable.' The Fizzer-uninstaller posted there creates the file '%WinDir%\uninstall.pky', which then causes Fizzer to remove all of its registry keys. Looks like the Fizzer worm will soon come to an end."

Hacked into Geocities?

[Salamanders]

...now control the update page...

At what point does the vigalante hacking become acceptable when fighting against Something Bad?

If this worm updated itself from a random group of computers that it had infected (say for exmple, yours), would you mind if they took control of your computer if it meant stopping the worm?

Quota?

[42forty-two42]

Why isn't the geocities site saying it's 'bandwith exceeded' or something?

Ansivirus companies' advice

[42forty-two42]

From the F-Secure page:

The current variant of the worm can uninstall itself if a file with the following name is found in the Windows main directory:

Uninstall.pky

When the worm finds a file with this name, it kills all its tasks and removes its registry keys thus disinfecting a system.
[...]

To get rid of the worm, it is enough to delete its files from the Windows main directory and from the Kazaa shared folders. Please download and execute the following Registry patch:

Why not just create the Uninstall.pky file? Seems like it'd be harder for a luser to screw up...

Re:Huh?

[Anonym0us+Cow+Herd]

It would have been smarter for the worm to verify a signature on the code it downloads

Even better, it should not go to a hardcoded URL. This makes it too easy for the enemy to take over a vulnerable web page and attack the worm operation.

The worm should download its code via. P2P, maybe IRC, or maybe even Freenet. Especially Freenet. This way, the more the worm updates are requested, the more they replicate.

Maybe the worms could even try to keep track of each other, forming their own network, in a very low-key, low bandwidth, gnutella kind of way.

Finally, you had better not be shown to have the private key when the bad guys come knocking.

Re:wtf is going on here?

[httptech]

More and more worms and viruses are going to crush the internet under their weight if they are not stopped somehow. It's somewhat akin to the wild west here... there is no "law" that can contain these hostile entities. It's up to the town affected to form a posse and take care of business.

An look at ethical issues involved in "hacking-back" was written by a cow-orker of mine. It looks at different ethical systems and how they might be applied here.

It's called "Crossing the Line: Ethics for the Security Professional"

Re:Huh?

[Nogami_Saeko]

And it could be argued that people who let viruses like this onto their machines have no training, are incompetant, and need to have experts solve their problems for them.

Let's try another analogy then:

Let's say that you are just an average person going in to get a flu-shot at the doctor.

The flu vaccine wasn't manufactured correctly and has a small amount of contamination that causes people to become slightly feverish. It's not fatal, but it's uncomfortable.

The health authorities, rather than trying to re-vaccinate everyone effected, put the cure (100% safe and effective) into the public water system to help everyone as quickly as possible, prevent the spread of the problem, etc.

How do you feel?