Fact Check

Fizzer Virus

Information about the 'Fizzer' worm.

Published May 14, 2003


Virus name:   Fizzer.

Status:   Real.

Example:   [Collected on the Internet, 2003]

Subject: EXTREMELY IMPORTANT WARNING—Virus—Don't open emails with these Subject lines listed below

We are concerned about this virus. Our Firewall and virus software protects us reasonable well.

Our exposure to this virus will come from people who use Instant Messaging in Aol, Kazaa and Internet Chat. The impact if you get this virus will be additional virus carrying messages to clients, friends and family in your address list.

This afternoon we are loading an updated virus file to every machine in the company to be safe.

****An important rule if you think you shouldn't. DON'T OPEN IT. Delete unknown Mail.

The worm arrives as an email attachment in various messages. The from address can be forged such that the apparent sender is not the actual sender. Message body and subject lines vary, as do attachment names. Attachments use standard executable extensions (.com, .exe, .pif, scr) with subjects such as:

Subject: why?
Body: The peace
Attachment: desktop.scr

Subject: Re: You might not appreciate this...
Body: lautlach
Attachment: service.scr

Subject: Re: how are you?
Body: I sent this program (Sparky) from anonymous places on the net
Attachment: Jesse20.exe

Subject: Fwd: Mariss995
Body: There is only one good, knowledge, and one evil, ignorance.
Attachment: Mariss995.exe

Subject: Re: The way I feel - Remy Shand
Body: Nein
Attachment: Jordan6.pif

Origins:   Fizzer is a mass-mailing virus which spreads through file-sharing programs such as Kazaa as well as by e-mail containing a file attachment with a .exe, .pif, .com or .scr extension.

Once a computer is infected, the virus will scan the victim's address book and send out infected messages using different subjects, message texts and file attachment names.

Fizzer also installs a keylogging program to record every keystroke as well as open a way to access a victim's computer over Internet Relay Chat, and the virus also regularly connects to a web page to try to download an updated version of itself.

Additional Information:

W32/Fizzer@MM W32/Fizzer@MM (McAfee)
W32.HLLW.Fizzer@mm W32.HLLW.Fizzer@mm (Symantec)

Last updated:   27 January 2008

David Mikkelson founded the site now known as snopes.com back in 1994.