Fizzer has not fizzled.
After a slow start late last week, the spread of the mass-mailing worm soared on Monday as enterprises returned to work worldwide. U.K.-based e-mail scanning outsourcer MessageLabs had intercepted 56,669 copies of the worm by midmorning Tuesday. More than 33,000 copies were caught Monday.
The antivirus vendors have responded. Tokyo-based Trend Micro Inc. has bumped its alert to medium risk based on a high rate of infection in South Korea. Likewise, McAfee Security has also raised Fizzer to a medium risk. Symantec Corp. has raised the worm from a Category 2 to a Category 3 threat because of its progress.
But at least one antivirus vendor thinks Fizzer has peaked. "We think the level is dying down, and it peaked yesterday," said Chris Belthoff, senior product marketing manager at U.K.-based antivirus software vendor Sophos LPC.
No one can say exactly why Fizzer made inroads. The antivirus vendors found it late last week but did not deem it a significant risk. It didn't spread much over the weekend. But on Monday, its progress picked up, perhaps because people came back to work and e-mail usage picked up. One factor could be the archetypal half-dazed employee still stuck in weekend mode who starts opening e-mails indiscriminately on a Monday morning, experts theorized.
Technically, Fizzer is both pretty complex and quite simple. It uses attack vectors similar to those of other recent worms. It can spread via network file shares. Also, the worm drops a copy of itself into the Kazaa shared folder on infected machines, so file swappers could inadvertently download it.
Fizzer can also shoot copies of itself out using its own SMTP engine. It can spoof e-mail addresses so a message appears to come from a different person. The worm harvests e-mail addresses both from the Windows address book and the Microsoft Outlook address book.
The worm uses random subject lines and message bodies in Dutch, German and English. Fizzer does have a new trick. It can randomly generate e-mail addresses for common Web-based e-mail domains.
Fizzer travels as an attachment to e-mail messages, using the file extensions .exe, .scr, .pif and .com. It can also use double file extensions. Many worms use those extensions. "Over 90% of companies have no business use for allowing such files in," said David Perry, Trend Micro's global director of education.
But once it infects a system, Fizzer does some novel things. For example, it installs an IRC bot that could be used by a remote attacker to execute commands on the infected system. The worm also installs a keystroke-logging program.
Fizzer, however, is not a "ticking time bomb," said Craig Schmugar, an antivirus researcher with McAfee AVERT. It won't try to reformat the hard drive on a specific date like other worms, but its e-mail blasts could choke bandwidth. The remotely controlled IRC bot could also be damaging. Fizzer also tries to shut off antivirus scanning processes, which could open up infected systems to other viruses and worms.
FOR MORE INFORMATION:
FEEDBACK: Is Fizzer a threat or a nuisance to the enterprise?
Send your feedback to the SearchSecurity.com news team.