Fizzer

Siddhi Shah

Siddhi Shah

2 min read
Fizzer
Fizzer (2003) was the first malware whose only purpose was to generate revenue and money. It came in an infected attachment, and turned the infected machine into a spam sender.

Fizzer crashed the scene in May 2003, and it was a profit-driven beast unlike anything before. It spread through email attachments or Kazaa file shares, disguised as ‘Cool Tunes’ on port 1214 or an email with quirky subjects like ‘Damn it feels good to be gangsta’ and random attachments (.exe, .pif, .com, .scr). Once you clicked, it dropped files like ‘iservc.exe’, ‘iservc.dll’, ‘initbak.dat’, and ‘progop.exe’ into your Windows folder.‘Progop.exe’ was a dropper, reassembling the worm into a single executable for spreading, while ‘iservc.exe’ hooked into the registry at [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "SystemInit" = "%windir%\iservc.exe", ensuring it ran every boot. It even tweaked text file startups at [HKEY_CLASSES_ROOT\txtfile\shell\open\command] to rope in ‘notepad.exe’ with its own ‘initbak.dat’ twist. From there, it turned your PC into a spam factory via its embedded SMTP engine, scraping addresses from Outlook, Windows Address Books, cookies, and even Internet cache folders, faking sender emails like ‘[email protected]’ or ‘[email protected].’


But Fizzer was a hybrid monster. It logged keystrokes with ‘iservc.dll’, saving them to ‘iservc.klg’ for hackers to snatch passwords or sensitive data. It opened backdoors galore: ports 2018 (commands), 2019 (file transfers), 2020 (remote console), and 2021 (video capture) for direct control, plus an HTTP server on port 81. It connected to IRC servers (e.g., irc.dal.net, irc.abovenet.org) on port 6667 and AOL Instant Messenger on port 5190, listening for updates or orders. Spreading via Kazaa’s peer-to-peer protocol, it copied itself into shared folders with random names, waiting for the next download. It could kill antivirus processes like ‘NAV’, ‘AVP’, or ‘F-PROT’ by targeting their task names, and even had an auto-update feature, pulling ‘upd.bin’ from a now-defunct site. Crazy enough, it left an uninstall option—drop ‘uninstall.pky’ in the Windows folder, and it’d wipe itself out.

Before Fizzer, malware was often a techie’s sandbox—think Creeper’s playful ‘catch me if you can.’ Fizzer shifted the game to profit, a worm that didn’t just annoy but cashed in.

What gets me hooked is the mind behind it. Picture someone—let’s call them Bill—uploading ‘Cool Tunes’ to Kazaa, knowing it’d spread like wildfire through shared folders and inboxes. Were they grinning at the chaos or counting profits from stolen keystrokes? I love chasing that ‘secret sauce’—how they fused SMTP mail tricks, Kazaa’s supernode searches, and a payload cocktail into one beast.
Reverse engineering it’s like decoding a hacker’s blueprint: every registry
tweak, every port, a clue to their intent shifting from ‘can I?’ to ‘how much
can I make?’

Read more