The Fizzer worm continued to spread rapidly late Monday afternoon as anti-virus experts raced to analyze the code of what they called one of the more complex worms in recent memory. First seen late last week, Fizzer began spreading in Asia initially but then hit Europe and North American hard Monday as office workers started to open e-mails received over the weekend.

As of 4:30 EDT Monday, MessageLabs Inc., a managed service provider in New York that tracks virus activity, had seen more than 25,000 copies of the worm, making it the fifth-most prevalent virus on the Internet this month.

"This is one of the more complicated worms we've seen", comments Mikko Hypponen, manager of anti-virus research at F-Secure Corp., based in Helsinki, Finland. "The worm is 200kB of code spaghetti, containing backdoors, code droppers, attack agents, key loggers and even a small Web server."

The new worm has several other capabilities that make it particularly troubling and dangerous. Fizzer includes an IRC bot that attempts to connect to a number of different IRC servers and, once it establishes a connection, listens passively for further instructions. This kind of activity is often the precursor to a distributed DoS (denial-of-service) attack. The worm also has the ability to create a new user account on AIM (AOL Instant Messenger), join a chat session and then listen for instructions.

But perhaps the most interesting aspect of Fizzer is the HTTP server it contains. The server runs on a configured TCP port and in effect acts as a command console, according to an analysis of the worm by the AVERT team at McAfee Security, part of Network Associates Inc., in Santa Clara, Calif. The console gives the attacker a wealth of information about the infected system, such as its operating system, connection information, and IRC and AIM data.

Full Article:
eWeek