The mass-mailing computer virus, which continued to spread on Wednesday, nearly overwhelmed several Internet relay chat (IRC) networks, prompting the operators of more than 50 networks to band together to stave off the digital infection.
"It was almost to the point of taking down our network," said Tyrel "Nemo" Haveman, an administrator for the Mysteria IRC network. "We noticed it first around midday in the U.S. on Monday. Within a couple of hours, we had 500 connections." Mysteria normally has only 150 to 250 people online at any one time, he added.
The digital deluge is caused by a side effect of the virus. Fizzer attempts to connect to IRC networks from an infected PC to open up a communications channel that can be used to control a victim's system. The virus was so successful at spreading that the massive influx of new connections threatened to overwhelm the IRC networks reached by the program.
The IRC operators intend to make the response group a permanent facet of the community, said John McGarrigle, the administrator for another small IRC network, RealmNet. A new site called IRC Unity will become a central hub for information sharing and discussion on various topics including security, he said.
"The idea stemmed from the fact that we have just set up an IRC security list with over 100 subscribers in the first day of operation," he said. "We realized, after that, that we had an opportunity there to create this information-sharing site, which will hopefully help prevent a lot of IRC-based attacks before they get out of hand."
The latest headache for IRC networks caused by the Fizzer virus started spreading a week ago, according to e-mail service provider MessageLabs. The virus took off on Monday and quickly became the most prevalent malicious e-mail attachment, according to the U.K.-based company's data. The company provides spam- and virus-filtering services to its clients and has stopped more than 175,000 copies of Fizzer at its e-mail gateway.
Fizzer--also known as W32.HLLW.Fizzer@mm and W32/Fizzer@MM--may have taken off because it uses two different methods to send itself to other PCs. While the virus mainly spreads through e-mail, it also copies itself under various names to the shared folder used by the Kazaa file-trading system. It can infect all Microsoft Windows systems, but not computers running Linux or the Macintosh operating system.
Charting Fizzer's symptoms
Security software maker Network Associates downgraded the virus to a "medium" threat on Wednesday, as the number of customers infected by the virus dropped overnight. Vincent Gullotto, vice president of Network Associates' antivirus emergency response team, suggested that Fizzer's success may have had its roots in a false sense of security developed by some Internet users.
"Every once in a while, something happens to pop, because there is something different about it or people let the guard down," he said.
The virus file uses an extension that marks it as a program file (EXE, COM or PIF) or screensaver file (SCR).
In addition to the functions designed to spread Fizzer's infection, the computer virus has several components intended to allow others to gain entry to the victim's system. It will also log a user's keystrokes and save them to a file, attempt to disable antivirus programs, launch a Web server, open several backdoors and occasionally look for an online server that contains updates for the worm. Moreover, the virus connects to one of more than 300 IRC servers and registers itself with, and then connects to, America Online's instant messaging system.
Those connections are what have caused so many headaches for IRC operators. RealmNet, which normally sees 100 to 200 connections at a time, suddenly found more than 1,000 computers connected to its server, said administrator McGarrigle. The connections, known as "bots" in IRC terminology, tend to congregate in chat channels of 20 or 30 virus-created connections.
"We have been banning (bots) from the network as they join," he said.
Other computer viruses, such as Deloder, have used a similar tactic. McGarrigle responded to the attack by identifying the channels and shutting them down.
Mysteria's Haveman took a different tack and created a dummy server that intercepts all attempted connections. Any user that tries to connect to the network will be told to go to a different IRC server, while the virus will just be stopped there.
Because the server records the Internet address of every client that attempts to connect, the dummy server may have provided a piece of data normally rare in virus incidents: The total number of infected systems. Since Monday, the Mysteria server has logged more than 40,000 different Internet addresses. Some of those addresses could be the same PCs, so the number could be lower. However, it's more likely to be higher, as Mysteria is only one of the 300 IRC services that the virus targets.
"They are pretty much from everywhere around the world," Haveman said. "It is definitely the biggest (attack) we've seen."
IRC administrators can expect more of the same, as Fizzer isn't going to burn out soon, said Mark Sunner, chief technology officer for MessageLabs.
"It has all the properties of a slow burner, this one does," he said. "While it's certainly plateauing, it doesn't seem to be truly abating in any way."