Anti-virus companies report that a complex new Internet worm, Fizzer (also called Fizzu.A or W32/Fizzer.A), is spreading fast around the globe.
Businesses in Asia were the first to report the attack, followed by reports of tens of thousands of infections in Europe, and experts expect more cases in North America. Symantec reports that some cases have been reported in SA too.
Fizzer combines previously known tactics from other malicious viruses. Kaspersky Labs says Fizzer "employs sneaky and dangerous tactics" such as a key logger and a trojan program that allows remote management of infected computers.
The worm arrives via e-mail or the file-sharing program Kazaa. From there, it infects the shared file folder for Kazaa, finds information for other contacts in Microsoft`s Outlook e-mail program and mails itself to more people.
The Central Command Emergency Virus Response Team reports that the e-mails all have different contents, with the attachment name, subject line and body built from a large list of attention-grabbing English or German words. For example, the subject line could read: "Re: You might not appreciate this..." The body text reads: "There is only good, knowledgem, and one evil, ignorance", with the attachment entitled Service.scr.
Another example has the subject line "Why?", the body text "I sent this program (Sparky) from anonymous places on the net", and an attachment entitled Desktop.scr.
If executed, the worm copies itself in the windows directory under the filenames "INITBAK.DAT" and "ISERVC.EXE". Fizzer also modifies the Windows registry auto-run section so that the worm loads each time the operating system is started.
Kaspersky Labs points out that Fizzer`s dangerous payload could cause confidential data to be leaked from infected computers because it intercepts and records all keyboard strokes in a separate log file. Fizzer then implements a backdoor utility that allows the worm`s "master" to undetectably control a computer via IRC channels as well as via HTTP and Telnet protocols. The worm also regularly connects with a Web page located on the Geocities server from which it attempts to download an updated version of its executable modules.
To avoid detection, Fizzer scans the memory of victim computers and shuts down the active processes of the most widely used anti-virus programs.
Anti-virus experts say Fizzer is not likely to cause widespread damage similar to the disruption caused by SQL Slammer in January. However, it could generate a great deal of extra traffic and bog down corporate networks.
Share
