Blackworm D-Day Turns Out to Be a Dud

The dreaded Blackworm was not so dreadful after all, thanks to a quick and thorough response from the security community and ISPs.

While the world held its breath, there were few noticeable effects from the dreaded Blackworm, which began deleting files on infected Windows computers Friday, according to interviews with computer virus experts.

The worm, which also goes by the name "Kama Sutra," "Nyxem" and "MyWife," is continuing to spread, but is not causing the damage that many predicted.

At least one expert credited a robust response from the security community and ISPs for thwarting the attack.

Blackworm spreads through infected attachments to e-mail messages and over shared network computer drives. It first appeared in mid-January and has been spreading steadily since then.

The worm became the subject of much speculation after researchers discovered a Web page counter that infected machines communicated with, which put the number of Blackworm infections in the millions of systems, at one point.

/zimages/2/28571.gifClick here to read about the urgency behind the Blackworm virus.

The worm also garnered attention for a time-activated feature that deleted popular computer documents such as Microsoft Word and Adobe PDF files, on the third day of each month.

However, U.K. firm Sophos Plc had not received any reports of damage from infections late on Feb. 3, according to Graham Cluley, senior technology consultant at Sophos.

The company, which mainly serves corporate customers, had virus updates that detected Blackworm more than two weeks ago and suspects that customers long ago removed any Blackworm infections on their network, Cluley said.

However, the virus is still spreading.

F-Secure of Finland reported that almost 18 percent of all virus e-mails detected in the last 24 hours were Blackworm, which the company calls Nyxem, according to data posted on the companys blog.

The worm may have infected a total of 300,000 computers total, but only around 20,000 unique IP addresses are currently reporting Blackworm infections. Estimates of the total number of infected machines could be double that number, said Alex Shipp of MessageLabs Inc., a New York e-mail security company.

One IP address could represent a network with many computers on it, he said.

MessageLabs, which processes around one billion e-mail messages a week, is seeing approximately 11,000 new computers report infections each day, but also a similar number drop off the list, he said.

Most infections are in two countries: India, which has around 5,000 IP addresses associated with infections, and the United States, which has around 1,200 IP addresses reporting Blackworm infections.

In Europe, Italy has the most number of IP addresses reporting infections, with 379. Great Britain has just 180, he said.

Italian news outlets reported on Friday that municipal offices in Milan, Italy, were closed after more than 10,000 computers were infected with Blackworm. Authorities shut the computers down on Friday to avoid having the virus delete files, according to the reports.

Most of the infections are believed to be on machines owned by individuals, not companies or governments. It may be too early to assess the damage caused by the worm deleting files until later in the weekend, after home users start up their computers, F-Secure said.

However, the ominous reports of large-scale damage from Blackworm were overblown, said Cluley.

"Theres egg on the face of the [anti-virus] industry. People are already cynical about us," he said.

/zimages/2/28571.gifIs anti-virus software the next big worm target? Click here to read more.

Experts may have paid too much attention to the worms Web counter, especially after it became clear that it was being manipulated by traffic from armies of zombie computers called "botnets," Cluley said.

Black worms February 3 deadline also created a sense of drama and expectation, he said.

"Everybody loves a ticking time bomb!" Cluley said.

However, the deadline gave computer users, companies and the security community time to react to the threat, experts agree.

With concerted effort by law enforcement, software vendors and ISPs, many of the Blackworm infections were spotted and removed prior to the deadline for deleting files, Shipp said.

"I reckon there was a lot of hard work behind the scenes that I think paid off," he said.

Like most computer viruses, Blackworm will not disappear. Instead, it will linger in the shadows, popping up on the third of each month when it deletes files on computers it has infected, Shipp said.

"There could be a similar sad tale next month," he said.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.