A new worm, dubbed Fizzer, is spreading around the Internet through email and peer-to-peer (P2P) networks. Fizzer carries quite a hostile payload compared with past worms. When Fizzer runs on a computer, it copies itself in the Windows system directory and modifies the registry so that it runs every time Windows boots.
The worm examines the active processes on a system and attempts to shut down various popular antivirus software packages, such as Norton, F-Prot, and several others. It also launches a Trojan horse program and attempts to communicate by using IRC, through which the Trojan can let an attacker remotely control an infected system.
Fizzer spreads by sending copies of itself to each email address in a user's Windows address book. It also tries to harvest email addresses from cookies, temporary Internet files, and files in a user's personal folders. The worm sends email using a subject, message body, and attached file name that it randomly chooses from lists contained in the worm code.
Fizzer also drops a copy of itself into a user's KaZaA download directory using a random file name, in hopes that other P2P network users will download and run a copy. The worm also attempts to contact a Web site hosted at Geocities to update itself.
If that weren't enough, the worm also runs a Web server on port 81 and runs a keystroke logger that stores all user keystrokes in an encrypted file. Panda Software and Symantec have both released free tools that can help remove the worm in the event your system becomes infected