Kama Sutra Worm makes early attacks

Security firms are warning PC users that one way to avoid early activation of the Kama Sutra Worm is to make sure all clocks are set correctly.

According to F-Secure, the Nyxem worm has already entered its new stage on PCs with early dates and times times set, rewriting files ending in .doc, .xls, .ppt, .zip, .rar, .pdf or .mdb.

The trojan is set to enter its next stage on Friday.

"This is nasty, as this is done on all mounted drives, ie. any drive that has a drive letter. So it might affect your USB thumb drives, external hard drives and network drives," said Mikko Hypponen, F-Secure chief research officer. "Also, if you're taking daily automatic backups, you might end up backing up the corrupted files over good files."

F-Secure estimated that more than 300,000 PCs have been affected by the virus – mostly in India, Turkey and Peru.

Security experts said this week that the trojan may not be as widely spread as many originally thought. The infection counter on an associated site did not start at zero and has overestimated the number of PCs with the virus, said Ken Dunham, director of the Rapid Response Team at iDefense.

Microsoft issued a security advisory on the worm, which it calls Win32/Mywife@mm, on Tuesday, saying user should not open unusual attachments from unfamiliar sources.

"As with all currently known variants of the Mywife malware, this variant does not make use of a security vulnerability, but is dependant on the user opening an infected file attachment. The malware also attempts to scan the network looking for systems it can connect to and infect," warned Microsoft. "It does this in the context of the user. If it fails to connect to one of these systems, it tries again by logging on with 'administrator' as the user name together with a bank password."

Emails containing the Kama Sutra Worm, called W32/Nyxem-D by Sophos, generally contain profanity and claim to carry a number of sexually explicit pictures and movies.

Eugene Kaspersky, head of research and development at Kaspersky Lab, said users should maintain updated anti-virus software to defend against the worm, which his firm calls Nyxem.e.

"Internet watchdogs are confirming Kaspersky Lab statistics – that is, significant numbers of computers are infected with Nyxem.e. Feb. 3, 2006, could turn out to be a very difficult day with unprotected users losing data and the internet community at large suffering from heavy traffic," he said. "All users should avoid launching email attachments that have nor been scanned. They should also update their antivirus databases and then scan their computers to make sure that their machines are Nyxem free."

Russ Cooper, senior information security analyst with Cybertrust, said the malware isn't extraordinarily dangerous - in comparison to other viruses.

"There isn't anything that makes this virus spread any faster than any other virus," he said. "This uses the same vectors that thousands of other viruses use."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.