Damage forecast low for file-trashing virus

A virus that is scheduled to begin deleting files on Friday from infected Windows computers is unlikely to result in widespread damage, security vendors said, although some businesses reported being affected.

F-Secure Corp. has been in contact with one large U.S. company that had "tens of thousands of infected computers," said Mikko Hyppönen, F-Secure's chief research officer.

The company, which Hyppönen declined to identify but said was not an F-Secure customer, had been working to cleanse the machines. It may keep its computers switched off Friday as a precaution until it can be sure they are virus-free.

There had been no reports early Friday of data being wiped out, although antivirus vendors said it may take a few days for problems to emerge, especially for consumers, who are less likely to notice damage right away. The virus has several names, including Blackdoom, Nyxem, Kama Sutra and Mywife. It was detected in mid-January.

Antivirus vendors have been updating their software to protect and cleanse machines of the destructive code, said David Emm, senior technology consultant at Kaspersky Lab Ltd. The malware contains code that will overwrite most files on a computer on the third day of each month, replacing them with error messages.

Computers become infected if a user opens a PIF (Program Information File) attachment contained in an e-mail. In addition to dropping the destructive code on a computer, the worm harvests e-mail addresses and sends itself out again. The emails often uses the promise of pornography to lure users into opening the attachment, a relatively dated method.

Up to 300,000 machines may be infected worldwide, with concentrations in India, Turkey, Mexico, Peru and Australia, according to antivirus vendors. The spread of e-mail worms is fairly random, Hyppönen said.

Those countries may be affected the most if the worm happened to find computers with big lists of e-mail addresses in those countries to mail itself out to, Hypponen said.

India appeared to have been infected the most as of Friday morning, with the virus emanating from around 4,000 IP addresses in that country, said Alex Shipp of MessageLabs Ltd. About 1,000 IP addresses were affected in the U.S., and 102 in the U.K., he said.

It may take a few days for the "sob stories" to emerge from hapless users, Shipp said.

The number of attacks against customers of SecureWorks Inc. has doubled since Tuesday, to 939, the company said. It reported the most activity in India, Australia and the U.S.

Machines protected by antivirus software could still be vulnerable since other malware, such as the Bagle virus, can shut off those programs, Hyppönen noted.

Publicity surrounding the worm may have made users more careful about protecting their computers. A chain of computer stores in the U.K. was warning users of the worm on its call-in number.

"At the moment, we are not sure of the impact of it," said Omar Qureshi, who works on the PC Service team for PC World stores. It may be three or four days before reports of problems trickle in, he said.

REFERENCES:
Microsoft warns of file-trashing worm, Jan. 31, 2006
Nyxem worm programmed to overwrite data files on Feb. 3, Jan. 23, 2006
Obscene Kama Sutra worm spreading via e-mail, Computerworld Philippines, Jan. 19, 2006

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies