Network News

X My Profile
View More Activity

Kama Sutra Worm Gets Nasty

A potentially destructive new computer worm disguised as pornographic videos and other material is steadily infecting thousands of victims each hour with payload designed to destroy documents and files on victim machines.

This particular nastygram has earned different monikers from various antivirus vendors -- including "W32/Nyxem-D" (Sophos and F-Secure), "Tearac.A" (Panda Software), and "W32.Blackmal.E@mm" -- but the catchiest name I've seen so far is "Kama Sutra," taken from one of the e-mail worm's variable enticing subject lines. 

The worm appears programmed to do three things: spread, disable security software and overwrite certain files. According to analysis from F-Secure, on the third day of each month the worm will overwrite the contents of certain files on infected machines, including Microsoft Word, Excel and Powerpoint files, as well as Adobe PDF documents and compressed ZIP and RAR archives, among other file formats.

The worm also notifies a specific Web site each time it infects a new machine, increasing the number on a Web based counter with each visit. Security Fix isn't publishing the link to the counter for obvious reasons (if everyone who read this started visiting the link its accuracy for measuring the true spread of the worm would quickly decrease.) Just know that as of 12:30 a.m. ET on Sunday the counter showed 539,261 victims, up from 522,684 5:30 p.m. ET on Saturday, an average of about 2,500 new victims per hour.

Capture

As always, be extremely careful about clicking on attachments or links that arrive in e-mail or instant message, even if they appear to have been sent by someone you know. If you got hit with this worm and your antivirus software can't get rid of it, try the free removal tool for this worm from Symantec.

By Brian Krebs  |  January 22, 2006; 10:20 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Account Hijackings Force LiveJournal Changes
Next: FTC Urged to Sue Adware Maker 180Solutions

Comments

I use Linux, and typically go click on attachments like these with a vengeance!
Bad move?

Posted by: iowa | January 22, 2006 11:52 AM | Report abuse

You are right BK, this one is nasty. People really need to think about the impact this worm could have for them personally as well as those that are on networks. It seems that a single infected machine could possibly wipe out documents on a departmental share. I hope this isn't starting a trend. New variants might not be so kind and wait for a specific day of the month to do their damage. For those that don't backup their data it would probably be good to think about looking at it!

Posted by: David Taylor | January 22, 2006 12:08 PM | Report abuse

The only way to be permanently rid of these kinds of problems is to jettison the Windows operating system variants and use a Unix based machine (Linux or Mac OS X) in which one needs an authorized user's permission with password control to "install" even the most legitimate software.

Even though I do not have any concrete evidence, I have a suspicion that most Virus and worm authors use Unix based machines to create their nasty parasites, and therefore keep their own machines from being similarly exposed.

Posted by: Hari Sundaresh | January 22, 2006 10:37 PM | Report abuse

While I agree "that the only way to be permanently rid of these kinds of problems is to ..." have a system "...in which one needs an authorized user's permission with password control to "install" even the most legitimate software." It is not neccessary to "jettison the Windows operating system variants and use a Unix based machine (Linux or Mac OS X)".

In the enterprise, simply reduce the user's rights to User or Power user. Then deal with the 1000's of users upset cause they can't isntall weatherbug.

If you self administer, use two local accounts. One non-admin user for routine use and a seperate login with Admin rights for your needed software installations.

Excessive rights is the fundamental cause of most successful exploits.

Posted by: Synergist | January 23, 2006 12:29 PM | Report abuse

SANS has a post on the ISC handler's diary detailing a plan to notify infected networks.

http://isc.sans.org/diary.php?storyid=1073

Posted by: Chyna | January 26, 2006 2:45 PM | Report abuse

i am afftcted in w32.lackmal.e worm any body can help me to recover my word and excel files

Posted by: subrat | February 10, 2006 12:40 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company