Fizzer Worm Is on the Move

UPDATE: Fizzer continues to spread rapidly as anti-virus experts race to analyze the code of what they say is one of the more complex worms in recent memory.

The Fizzer worm continued to spread rapidly late Monday afternoon as anti-virus experts raced to analyze the code of what they called one of the more complex worms in recent memory. First seen late last week, Fizzer began spreading in Asia initially but then hit Europe and North American hard Monday as office workers started to open e-mails received over the weekend.

As of 4:30 EDT Monday, MessageLabs Inc., a managed service provider in New York that tracks virus activity, had seen more than 25,000 copies of the worm, making it the fifth-most prevalent virus on the Internet this month.

"This is one of the more complicated worms weve seen", comments Mikko Hypponen, manager of anti-virus research at F-Secure Corp., based in Helsinki, Finland. "The worm is 200kB of code spaghetti, containing backdoors, code droppers, attack agents, key loggers and even a small Web server."

The new worm has several other capabilities that make it particularly troubling and dangerous. Fizzer includes an IRC bot that attempts to connect to a number of different IRC servers and, once it establishes a connection, listens passively for further instructions. This kind of activity is often the precursor to a distributed DoS (denial-of-service) attack. The worm also has the ability to create a new user account on AIM (AOL Instant Messenger), join a chat session and then listen for instructions.

But perhaps the most interesting aspect of Fizzer is the HTTP server it contains. The server runs on a configured TCP port and in effect acts as a command console, according to an analysis of the worm by the AVERT team at McAfee Security, part of Network Associates Inc., in Santa Clara, Calif. The console gives the attacker a wealth of information about the infected system, such as its operating system, connection information, and IRC and AIM data.

The HTTP server also gives the attacker the ability to remotely launch DoS attacks, further propagate the work via e-mail, issue commands to the IRC and AIM bots, and kill anti-virus applications.

The keystroke logger records every typed letter and saves the log in an encrypted file on the infected machine. If the infected PC has the Kazaa file-sharing program installed, Fizzer also has the ability to find the default download location for Kazaa files and copy itself to that folder. It will have a random filename and could easily be mistaken for a media file and downloaded by another Kazaa user.

At its heart, Fizzer is a mass-mailing worm that arrives in users mailboxes in an e-mail with a random subject line and body text. The attachment containing the worm is an executable file, but has a random name and may also have a random file extension that disguises the fact that it is an executable.

Most Recent Security Stories:

Search for more stories by Dennis Fisher.
Find white papers on security.
For more security news, check out Ziff Davis Medias Security Supersite.