Fizzer worm spreading

A new computer worm spreading over the Internet captures a user's keystrokes and creates a back door that could give an attacker access to the infected system or enable the machine to secretly be used in a denial of service attack.

The new worm, named "Fizzer," first appeared on May 8 and propagates using a wide range of methods, according to alerts posted by leading antivirus companies.

First and foremost, Fizzer is a mass-mailing worm, hiding in executable attachments to e-mail messages with seductive subject lines, said Vincent Gullotto, vice president of Avert Labs at Network Associates. The virus is contained in executable e-mail attachments with names such as "Jesus123.exe" that are generated randomly from lists maintained by the worm.

Messages containing the virus arrive in victims' e-mail inboxes with subjects such as "You might not appreciate this...," "Re: how are you?" and "I thought this was interesting..." according to alerts posted by antivirus companies McAfee, which is part of Network Associates, and F-Secure.

Fizzer affects machines running versions of Microsoft]'s Windows operating system and is capable of spreading through vulnerable shared directories on computer networks and over the Kazaa peer-to-peer network, McAfee said.

"It's a complex little beast," Gullotto said. "The virus has a complex set of routines it's going through and it covers a majority of the ways it could infect [a system]."

McAfee first received copies of the new worm from enterprise and consumer customers on Thursday. While the initial number of reports was low, the pace of infection appears to have increased in the last 24 hours. During that time, McAfee received reports of Fizzer from five or six different countries, Gullotto said.

That activity prompted McAfee to raise its risk profile for Fizzer early Monday from "low" to "medium-on-watch."

Gullotto likened Fizzer to September's W32/BugBear mass-mailing worm, which began spreading slowly only to pick up steam and become a high-priority event.

The new worm does not exploit any specific product vulnerability, Gullotto said. Instead, Fizzer takes advantage of commonly used channels of online communication to spread itself.

"[Fizzer] is taking good technology that's been created for communication purposes and using it to spread on people's machines," he said.

The decision to use multiple means to spread may be a reaction to the increased effectiveness of gateway and desktop antivirus systems at detecting and stopping mass-mailing worms, Gullotto said.

"Virus writers are not succeeding in getting mass mailers to work, so this is a carpet bombing or proof-of-concept approach -- to try many different routes," he said.

Besides using multiple means to propagate, Fizzer exploits common Internet applications such as AOL Instant Messenger and Internet Relay Chat (IRC) clients to connect to Internet servers and listen for further instructions from an attacker, McAfee said.