Concern is growing over the Kama Sutra worm, since reports indicate that its sole purpose is to destroy data not only on infected machines, but also on connected devices.
It’s suggested that Internet users be on guard for any unsolicited emails claiming to contain pornographic pictures and adult movies this week. The W32/Nyxem worm is set to trigger its data-destroying payload on Friday, Feb. 3. Users can tell they’ve been infected if, after clicking on an email attachment, their keyboard and mouse freezes up and requires them to reboot their systems. It’s during this process that the worm creates several Windows registry key values and causes an included OCX file to be trusted.
The Kama Sutra worm – also known as “Nyxem-E” and “Grew.A” – spreads via e-mail using a variety of pornographic disguises and disables security software. The only known cure for infection is to reinstall anti-virus software that includes protection against the worm and then scan all hard disks to ensure the worm has been defused.
Graham Cluley, senior technology consultant for Sophos, advises that “companies should educate their users to practice safe computing. That includes never opening unsolicited email attachments and discouraging the sending and receiving of joke files, pornography, and funny photographs and screensavers. This worm feeds on people’s willingness to receive salacious content on their desktop computer, but they could be putting their entire company’s data at risk.”
Subject lines used in the worm-bearing emails include “Hot Movie,” “Arab sex DSC-00465.jpg,” “Fwd: Crazy illegal Sex!,” and similar suggestive-sounding phrases. The payload will destroy DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD, and DMP files by replacing their contents with the string: “DATA Error [47 0F 94 93 F4 K5].”
According to Ken Dunham, a senior engineer with VeriSign iDefense, the Feb. 3 payload will strike any infected computer based on the infected machine’s local date and time.
However, the worm might not be as destructive as some fear. According to Dunham, the counter the worm installs can be detected easily by anyone investigating the worm.
“The worm counter may not have started at zero,” Durham says. “It records each hit or page view, rather than unique IP addresses, and could be manipulated. Current data shows that this worm is not a massive epidemic but that it is temporarily more successful than long-term persistent threats such as NetSky and Zafi variants.”
The worm reportedly sends out copies of itself as a PDF, such as eBook.PDF. But it’s noted that if such a file is executed, Adobe Acrobat will not be able to execute the MZ header executable. In Dunham’s view, these types of attachments are not significant threats at this time.
Nonetheless, there is still concern about the worm. As Dunham adds, “Slowly evolving threats like Grew.A often lead to increased fear, uncertainty, and doubt without the help of an intelligence provider. It makes it almost impossible for some to get qualified research data on a worm when there is so much misinformation, aliases, and other data available on the Internet.”
So let’s all take a minute to breathe deeply…and then run around in a blind panic.
