After a relatively fallow period for virus activity, a new mass-mailing worm has emerged, but experts are unsure of how successful it will be.
Fizzer-A packs quite a little punch. When it infects a system, the worm installs a backdoor Trojan horse program that can be controlled remotely via IRC channels and potentially allow an attacker to control an infected machine. Fizzer also installs a keystroke-logging program, harvests e-mail addresses that it then uses to send itself using its own SMTP engine, and drops a copy of itself to the machine's Kazaa shared folder, which means unsuspecting peer-to-peer users could download the worm.
Additionally, Fizzer tries to shut down antivirus software, said Chris Belthoff, senior product marketing manager at U.K.-based antivirus software vendor Sophos Inc. This could pave the way for infection from other malicious code, he said.
Fizzer has gained traction in Asia, notably Taiwan, but it doesn't seem to be a big issue for Europe and the Americas. Though it was first detected in Asia, it was probably written by someone from southern Germany, according to David Perry, global director of education for Trend Micro Inc., a Tokyo-based antivirus software vendor. The worm travels with a variety of subject lines and messages, some of which smack of the dialect used by people in southern Germany, Perry said, noting that one of Trend Micro's virus researchers is from the region. Other subject lines and message bodies are in Dutch and some are in English.
In many ways, Fizzer is nothing new. It travels as an attachment to e-mail messages with file extensions such as .exe, .pif, .com and .scr, which are commonly used by malicious code. Most companies don't have reason to allow files with these extensions in and block them at the gateway. Of course, a company that allows Kazaa traffic in could become infected.
Given its attack vectors, Fizzer may be more of an issue for home users than corporations, Perry said. In fact, Fizzer may not have a big outbreak but may fall instead into a "steady state" or "background state." In other words, it may slowly progress among home machines but never reach a corporation, where it would have access to thousands of e-mail addresses, he said.
Fizzer, like many recent worms, harvests e-mail addresses from infected systems' Windows Address Books. It also contains a tool to randomly generate e-mail addresses for such domains as hotmail.com, yahoo.com and netzero.com, which it could have borrowed from the spammers' toolkit, Perry said.
But that's not the only Spam-like thing about Fizzer. Many of the random subject lines it uses sound very Spam-like (such as "little popup remover"). This could hurt its progress because many people will likely delete the messages without even opening them, Perry said.
SearchSecurity.com news exclusive: "Klez a nuisance a year later"
FEEDBACK: Does your enterprise concern itself with mass-mailing worms any more? Or are most file extensions blocked at the gateway?
Send your feedback to the SearchSecurity.com news team.