Internet security firm MessageLabs said the virus, which has already reached a peak of one in 474 e-mails to date, is “particularly unpleasant”, because its ability to spread quickly across the web.
“Although perhaps not as prevalent in these initial stages as other notable outbreaks such as Klez or Bugbear, Fizzer is certainly likely to be around for a long while,” the company said yesterday (12 May).
This morning (13 May), MessageLabs said it had intercepted almost 50,000 e-mails infected with the Fizzer virus, which has been classed as medium risk.
Fizzer, which spreads via e-mail and the Kazaa peer-to-peer (P2P) file-sharing network, can update itself via download from a geocities website, said security firm Trend Micro.
The worm, which arrives as a file attachment with an .EXE, .PIF, .COM, or .SCR extension, has an SMTP engine, which it uses to send copies of itself via e-mail. It obtains recipients from addresses found in Window Address Book.
Fizzer was first detected in the Far East, but it would seem it was created by someone with a good knowledge of German given the use of dialect within the subject line, Trend Micro said. English is also used in the subject line, and in the main body of the e-mail.
The worm can also enter systems via an IRC backdoor by connecting itself to IRC servers and joining IRC channels. It will then perform commands coming from the said channel.
The distribution potential of the worm is increased by the fact that it can disable some anti-virus scanners terminating any of the processes mentioned below, Trend Micro warned.
In a separate development, the CERT Co-ordination Centre has warned internet users to beware of the "Mother's Day Virus", the latest e-mail-borne threat that could allow an attacker to run malicious code on a victim's computer.
The threat, which is also known as "Peido-B" or "VBS/Inor.B", arrives in an e-mail that masquerades as an administrative message.
The e-mail contains the text "THIS IS A WARNING MESSAGE ONLY YOU DO NOT NEED TO RESEND YOUR MESSAGE" and contains an executable attachment named "sys_con.hta," according to an alert posted by security firm Sophos.