Fizzer worm may be fizzling
Almost a week after it first appeared on the Internet, the Fizzer worm appears to be losing momentum, but experts disagree on whether or not the new computer virus has peaked.
Fizzer was first detected late last week and spread slowly at first, according to a statement by antivirus company Sophos PLC.
However, Monday saw a surge of incidents of the virus on the Internet, with most antivirus companies upgrading their rating of the virus from a low profile threat to a moderate or high threat.
On Monday, for example, F-Secure Corp. of Helsinki raised the alert on Fizzer to its highest level, saying it was one of the most widespread viruses currently in circulation. Symantec Corp.'s Security Response likewise upgraded its rating of Fizzer to a level 3 threat on a scale of one to five, citing 146 customer submissions of the virus including 26 from corporations, according to a statement from the Cupertino, California, company.
On Tuesday, most antivirus companies maintained their threat rating on Fizzer, but there is disagreement on whether the virus is continuing to rapidly proliferate, as it did on Monday.
"We saw in increase in the number of infections sharply over the course of (Monday) but (Fizzer) didn't spread widely and appears to have died out," said Chris Belthoff, senior product manager at Sophos.
A similar drop off was seen by other leading antivirus companies, as well. New submissions of Fizzer on Tuesday to AVERT (Anti-Virus Emergency Response Team), part of Network Associates Inc., were down 60 percent from the same time on Monday, according to a Network Associates spokeswoman.
But e-mail security company MessageLabs Ltd. of Gloucester, U.K., reported an increase in the number of infections on Tuesday to 60,000 from 22,000 on Monday, according to Mark Sunner, chief technical officer of MessageLabs.
"Fizzer started as a slow burner, but now it's really gathering momentum," Sunner said.
Some of the confusion over the fate of Fizzer could be due to the different vantage point of the security companies.
Like other e-mail worms, the Fizzer virus hides in executable attachments to e-mail messages with enticing subject lines that are generated at random from lists maintained by the worm.
The worm spreads by locating the Microsoft Corp. Outlook and Windows address books and using the records stored there to send copies of itself out to those addresses, Sophos said.
While antivirus companies measure outbreaks by the number of virus submissions from their customer base, managed service companies such as MessageLabs measure them by the number of messages containing viruses that are intercepted on the way to their customers' networks.
With a large number of computer hosts already infected with Fizzer, especially among home users, the corporate networks managed by companies like MessageLabs may continue to be bombarded with e-mail messages generated by Fizzer, even as the number of new virus submissions from corporate and home users affected by the virus declines, according to Sunner.
He likened the problem to the use of compromised machines by spammers to send out junk e-mail messages. Sixty percent of those messages come from so-called "open proxies," machines that have been compromised by viruses and left open to use by spammers, Sunner said.
"(Fizzer) will be kept alive by the home user market because they're the slowest to update (antivirus software) and clean the virus up," he said.
Fizzer also infects the shared files folder used by the Kazaa peer-to-peer file sharing application and is capable of spreading over the Kazaa network and through vulnerable shared directories on computer networks, according to AVERT Labs at Network Associates.
While that made the virus something of an anomaly, the vast majority of new infections came from individuals clicking on e-mail attachments rather than the Kazaa network. That fact, alone, may account for Fizzer's rapid decline, according to Belthoff.
"This is not any sort of aggressive kind of Slammer worm. This is something that requires human interaction and an unprotected system to spread," he said.