Many security experts believed that approximately 350,000 computers had been infected with the so-called Kama Sutra worm, but administrators and individual users had plenty of time to clean the malware off their machines. The worm's payload, which was the ability to overwrite Microsoft files, was designed to be triggered on the 3rd of every month. That means the worm should have started wiping out Word files, Excel files and PowerPoint presentations around the world today.
But security watchers say that, largely, nothing much has happened.
''I think part of it is that people worked really hard to update their anti-virus,'' says Steve Sundermeier, a vice president at Medina, Ohio-based Central Command, an anti-virus and anti-spam company. ''The anti-virus definitions have been available for two weeks, and, with the attention this has been getting, people just made sure they were up-to-date for it.''
The worm goes by many different names. Despite anti-virus vendors' recent efforts to use common names for new malware, the Kama Sutra worm is known as BlackWorm, Nyxem-D, CME-24, Grew-A, Casper-A, Killav, Blackmal, Mywife-D and Worm.p2p.vb.cil.
No matter what it's called, the malware spreads in an attachment via email, using a variety of pornographic disguises. If the attachment is opened and the worm is launched, it immediately tries to disable a number of anti-virus and firewall products, and attempts to harvest other email addresses from the infected computer in an effort to spread itself further, according to analysts at Sophos.
But it doesn't stop there. The worm also is designed to overwrite certain files on the 3rd of every month. Ken Dunham, a senior engineer for VeriSign iDefense Intelligence based in Mountain View, Calif., notes that the worm attacks Word files, Excel, PowerPoint, Adobe Acrobat, .zip files, some database files and Photoshop.
The malware has been nicknamed after the Hindu sex manual Kama Sutra because of the pornographic subject lines it uses to lure unsuspecting users to open the malicious attachment.
And while there have been no reports yet of any significant damage being done, the worm is still spreading in the Wild.
The worm is ranked on the top of Central Command's Top Threat list, and Sophos, Inc., an anti-virus and anti-spam company based in Lynnfield, Mass., reports that their statistics show it's the third most commonly encountered email virus. BlackWorm is accounting for 10 percent of all viruses being reported, says Graham Cluley, senior technology consultant with Sophos. However, that number is down from a week ago when it was accounting for 39 percent.
''The virus writer probably made a mistake by setting his count down to two and a half weeks after he first sent it out,'' says Cluley. ''That gave people enough time to take care of it. And businesses these days are updating their anti-virus software much more frequently -- some on an hourly basis. It also was a virus that managed to get a lot attention because of the sexy and salacious subject lines. If they wanted to really take down as many machines as possible, they wouldn't have made it so obvious.''
And it's a good thing the virus writer gave administrators and home users such a head start to prepare.
There were reports today that in Milan, Italy, IT workers shut down city government computers after discovering yesterday that they had been infected with the Kama Sutra worm.
And F-Secure Corp., an anti-virus company based in Helsinki, Finland, reports that a large U.S. company, which was not one of their customers, was ''thoroughly infected'' with it more than a week ago. ''They've been cleaning up ever since,'' says Mikko Hyppvnen in an email interview with eSecurityPlanet.
Jose Nazario, a senior security and software engineer with Arbor Networks, a security software company based in Lexington, Mass., says the worm had some technical problems that kept it from being as damaging as it could have been.
''It appears that it's not going to affect network drives,'' says Nazario. ''Many enterprises store documents in a central repository and that allows for centralized backups and easier sharing of documents. If the worm can't get there, it can't overwrite those files. And it also appears that it requires elevated privileges and users inside an enterprise typically do not have that level of control.''
Cluley, who notes that Sophos had put this as a low-risk threat, says the worm simply wasn't as dangerous as some of the malware that works silently in the background stealing personal and critical financial information.
''People say it's really dreadful but we've been one of the lone voices saying, 'Is it, really?' Shouldn't you all have backups anyway? Shouldn't business and home users all be backing up their information?'' asks Cluley. ''This is quite tame compared to a virus that steals passwords or credit card numbers.''
And, ironically, while the world held its breath about what would happen with the BlackWorm today, a virus apparently took down the Russian Stock Exchange for an hour last night.
The virus, which the Russians have not publicly identified, is said to have hit late on Thursday, forcing the suspension of trading on the RTS FORTS futures market, classic market and the stock exchange, according to the Russian Trading System. The infected computer generated a large amount of outgoing email traffic, and legitimate incoming and outgoing email was interrupted by the virus's activities, Sophos reports.
Trading has resumed at the stock exchange, and officials say no data had been stolen.
Cluley told eSecurityPlanet that there was no evidence to suggest that the BlackWorm was involved at all.
''I've got no doubt that some people will lose data but it's not the disaster of Titanic-style proportions that some people had thought it was going to be,'' he says. ''I'm grateful that some people have updated their anti-virus software.''
Loading Comments...