Content

How strong is the Kama Sutra Worm?

Security experts are unsure how widespread the Nyxem.E worm actually is, saying the webcounter associated with the virus may overestimate the number of infected PCs.

The Nyxem worm, also known as the Kama Sutra Worm and a number of other aliases, is set to delete files on infected PCs on Feb. 3.

Ken Dunham, director of the Rapid Response Team at iDefense, said late last week that the worm, which he calls Grew.A, may not be as widespread as some experts predicted.

"Grew.A may not be nearly as prevalent as some may fear. The web counter is easily discovered by anyone investigating the worm. Also, the worm counter may not have started at zero," he said. "Finally, it records each hit or page view, rather than unique IP addresses, and could be manipulated. Data to date shows that this worm is not a massive epidemic but that it is temporarily more successful than long-term persistent threats such as NetSky and Zafi variants."

Microsoft's Anti-Malware Team recommended on its weblog this week that users run an up-to-date anti-virus program on PCs and be wary of suspicious email attachments, even if sent from a familiar email address.

Microsoft said a company investigation "has revealed that the web counter that is incremented by the malicious software is being artificially manipulated by outside parties."

"It is therefore not a trustworthy indication of the infection rate or of the total of infected computers," the Anti-Malware Team said. "Instead, we utilize our industry partnerships as well as our own internal data to help gauge the impact to customers. This information has revealed that the attack is limited at this time."

Emails containing the Kama Sutra Worm, also called W32/Nyxem-D by Sophos, generally contain profanity and claim to carry a number of sexually explicit pictures and movies.

F-Secure said on its website that internet service providers should monitor traffic to the virus' webcounter, an idea the firm's own ISP has used.

"Whenever an IP within their address space goes there, an email is sent out to the technical contact informing them that they have a machine that potentially could be infected," the firm said. "The email also included links to information on how to remove the worm."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.