Fizzer worm spreading, could allow attackers access

By Paul Roberts

A new computer worm spreading over the Internet captures a user’s keystrokes and creates a back door that could give an attacker access to the infected system or enable the machine to secretly be used in a denial of service attack.

The new worm, named “Fizzer,” first appeared on May 8 and propagates using a wide range of methods, according to alerts posted by leading antivirus companies.

First and foremost, Fizzer is a mass-mailing worm, hiding in executable attachments to e-mail messages with seductive subject lines, said Vincent Gullotto, vice-president of Avert Labs at Network Associates Inc. The virus is contained in executable e-mail attachments with names such as “Jesus123.exe” that are generated randomly from lists maintained by the worm.

Messages containing the virus arrive in victims’ e-mail inboxes with subjects such as “You might not appreciate this…”, “Re: how are you?” and “I thought this was interesting…” according to alerts posted by antivirus companies McAfee, which is part of Network Associates, and F-Secure Corp.

Fizzer affects machines running versions of Microsoft Corp.’s Windows operating system and is capable of spreading through vulnerable shared directories on computer networks and over the Kazaa peer-to-peer network, McAfee said.

“It’s a complex little beast,” Gullotto said. “The virus has a complex set of routines it’s going through and it covers a majority of the ways it could infect (a system).”

McAfee first received copies of the new worm from enterprise and consumer customers on Thursday. While the initial number of reports were low, the pace of infection appears to have increased in the last 24 hours. During that time, McAfee received reports of Fizzer from five or six different countries, Gullotto said.

That activity prompted McAfee to raise its risk profile for Fizzer early Monday from “low” to “medium-on-watch.”

Gullotto likened Fizzer to September’s W32/BugBear mass-mailing worm, which began spreading slowly only to pick up steam and become a high-priority event.

The new worm does not exploit any specific product vulnerability, Gullotto said. Instead, Fizzer takes advantage of commonly used channels of online communication to spread itself.

“(Fizzer) is taking good technology that’s been created for communication purposes and using it to spread on people’s machines,” he said.

The decision to use multiple means to spread may be a reaction to the increased effectiveness of gateway and desktop antivirus systems at detecting and stopping mass-mailing worms, Gullotto said.

“Virus writers are not succeeding in getting mass mailers to work, so this is a carpet bombing or proof-of-concept approach, to try many different routes,” he said.

Besides using multiple means to propagate, Fizzer exploits common Internet applications such as AOL Instant Messenger and Internet Relay Chat (IRC) clients to connect to Internet servers and listen for further instructions from an attacker, McAfee said.

Fizzer’s key logging functionality enables it to capture typed keystrokes on the machines it infects and store them in an encrypted file. An attacker could subsequently retrieve those files and mine them for passwords and other sensitive personal data, McAfee said.

McAfee was unable to pinpoint a source of the virus, but the worm does contain a message, presumably from the virus’ author, that points the finger back at the antivirus companies, F-Secure said.

“I sent this program…from anonymous places on the net…Did you ever stop to think that viruses are good for the economy? Maybe the primary creators of the world’s worst viruses are the companies that make the Anti-Virus software,” the message read, in part.

To protect themselves from Fizzer, users should update their antivirus software’s virus definitions as soon as possible, Gullotto said.

Because e-mail is not the only means by which the virus spreads, users with the Kazaa client installed should understand that they are at increased risk and deploy a firewall if one is not already installed, he said.

Users who have already been infected can remove the worm by deleting the worm file, “Iservc.exe,” [cq] from the Windows directory, F-Secure said.