Security software maker Network Associates downgraded the virus to a "medium" threat on Wednesday, as the number of customers infected by the virus dropped overnight. Vincent Gullotto, vice president of Network Associates' antivirus emergency response team, suggested that Fizzer's success may have had its roots in a false sense of security developed by some Internet users. "Every once in a while, something happens to pop, because there is something different about it or people let the guard down," he said. The virus file uses an extension that marks it as a program file (EXE, COM or PIF) or screensaver file (SCR). In addition to the functions designed to spread Fizzer's infection, the computer virus has several components intended to allow others to gain entry to the victim's system. It will also log a user's keystrokes and save them to a file, attempt to disable antivirus programs, launch a Web server, open several backdoors and occasionally look for an online server that contains updates for the worm. Moreover, the virus connects to one of more than 300 IRC servers and registers itself with, and then connects to, America Online's instant messaging system. Those connections are what have caused so many headaches for IRC operators. RealmNet, which normally sees 100 to 200 connections at a time, suddenly found more than 1,000 computers connected to its server, said administrator McGarrigle. The connections, known as "bots" in IRC terminology, tend to congregate in chat channels of 20 or 30 virus-created connections. "We have been banning (bots) from the network as they join," he said. Other computer viruses, such as Deloder, have used a similar tactic. McGarrigle responded to the attack by identifying the channels and shutting them down. Mysteria's Haveman took a different tack and created a dummy server that intercepts all attempted connections. Any user that tries to connect to the network will be told to go to a different IRC server, while the virus will just be stopped there. Because the server records the Internet address of every client that attempts to connect, the dummy server may have provided a piece of data normally rare in virus incidents: The total number of infected systems. Since Monday, the Mysteria server has logged more than 40,000 different Internet addresses. Some of those addresses could be the same PCs, so the number could be lower. However, it's more likely to be higher, as Mysteria is only one of the 300 IRC services that the virus targets. "They are pretty much from everywhere around the world," Haveman said. "It is definitely the biggest (attack) we've seen." IRC administrators can expect more of the same, as Fizzer isn't going to burn out soon, said Mark Sunner, chief technology officer for MessageLabs. "It has all the properties of a slow burner, this one does," he said. "While it's certainly plateauing, it doesn't seem to be truly abating in any way."
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.
Let the editors know what you think in the Mailroom.
