File-Trashing Virus Set to Strike

Kama Sutra worm scheduled to delete data today, but experts say the damage forecast is low.

Jeremy Kirk, IDG News Service

A virus that is scheduled to begin deleting files on Friday from infected Windows computers is unlikely to result in widespread damage, security vendors say, although some businesses reported being affected.

F-Secure has been in contact with one large U.S. company that had "tens of thousands of infected computers," says Mikko Hypponen, F-Secure's chief research officer.

The company, which Hypponen declines to identify but says was not an F-Secure customer, had been working to cleanse the machines. It may keep its computers switched off Friday as a precaution until it can be sure they are virus-free. If your PC is affected, Symantec has posted instructions for the worm's removal here.

There had been no reports early Friday of data being wiped out, although antivirus vendors say it may take a few days for problems to emerge, especially for consumers, who are less likely to notice damage right away. The virus has several names, including Blackdoom, Nyxem, Kama Sutra, and Mywife. It was detected in mid-January.

Antivirus vendors have been updating their software to protect and cleanse machines of the destructive code, says David Emm, senior technology consultant at Kaspersky Lab. The malware contains code that will overwrite most files on a computer on the third day of each month, replacing them with error messages.

How It Spreads

Computers become infected if a user opens a PIF (Program Information File) attachment contained in an e-mail. In addition to dropping the destructive code on a computer, the worm harvests e-mail addresses and sends itself out again. The e-mails often use the promise of pornography to lure users into opening the attachment, a relatively dated method.

Up to 300,000 machines may be infected worldwide, with concentrations in India, Turkey, Mexico, Peru, and Australia, according to antivirus vendors. The spread of e-mail worms is fairly random, Hypponen says.

Those countries may be affected the most if the worm happened to find computers with big lists of e-mail addresses in those countries to mail itself out to, Hypponen says.

India appeared to have been infected the most as of Friday morning, with the virus emanating from around 4000 IP addresses in that country, says Alex Shipp of MessageLabs. About 1000 IP addresses were affected in the U.S., and 102 in the U.K., he says.

It may take a few days for the "sob stories" to emerge from hapless users, Shipp said.

The number of attacks against customers of SecureWorks has doubled since Tuesday, to 939, the company says. It reported the most activity in India, Australia, and the U.S.

Machines protected by antivirus software could still be vulnerable since other malware, such as the Bagle virus, can shut off those programs, Hypponen notes.

Publicity surrounding the worm may have made users more careful about protecting their computers. A chain of computer stores in the U.K. was warning users of the worm on its call-in number.

"At the moment, we are not sure of the impact of it," says Omar Qureshi, who works on the PC Service team for PC World stores. It may be three or four days before reports of problems trickle in, he says.