E-Mail Worm Could Wreak Havoc

Security volunteers post 'urgent alert'

A high-powered group of security volunteers is raising an "urgent alert" for a potentially destructive e-mail worm crawling through in-boxes, warning that the worms payload is capable of destroying important documents on an infected machine.

The worm, which uses the lure of sexually explicit Kama Sutra photographs to trick e-mail users into opening an attachment, is programmed to deliver the destructive payload on the third day of every month.

With Feb. 3 fast approaching, members of the MWP (Malicious Web sites and Phishing) research and operational mailing list have set up a task force to track the threat and help ISPs identify infected users in their Netspace. Gadi Evron, CERT manager in Israels Ministry of Finance, in Jerusalem, is coordinating an industrywide effort to get businesses and consumers to update anti-virus definitions to help thwart the continued spread of the worm.

"This risk may turn out to be nothing, and whatever happens, the Internet is not going to die. ... However effective or ineffective this may be, we urge users to update their anti-virus [signatures] as soon as possible and scan their computers and/or networks," Evron said in a call-to-arms message posted on the SecuriTeam site.

As of Jan. 24, more than 700,000 computers had already been infected by the worm, according to a stats counter used by the worms author.

Adding to the confusion is that anti-virus software vendors are all using different names to identify the worm. In addition to Kama Sutra, the worm has been named Blackworm, Blackmal, MyWife and Nyxem.

According to F-Secure virus researcher Alexey Podrezov, the mass-mailing worm also tries to spread using remote shares. Once a machine gets infected, the worm disables anti-virus and other security software before delivering a payload that destroys certain file types.

Once the worms update.exe file is run, it destroys all .doc, .xls, .ppt, .pdf, .zip and .psd files on all available drives.

"Its a rather destructive payload. Youre looking at probably several hundred thousand users that would have data loss—and pretty serious data loss at that," said Alex Eckelberry, president of anti-virus vendor Sunbelt Software, in Clearwater, Fla.

In an interview, Eckelberry said the post-infection cleanup is made difficult because of the way the worm disables all anti-virus programs.

"When it destroys the data, theres no going to the recycle bin to get it back. It destructively destroys the data," Eckelberry stressed.

The LURHQ Threat Intelligence Group has released Snort IDS (intrusion detection system) signatures to help enterprises detect infected users.

In addition, LURHQ recommends that executables and unknown file types be blocked at the e-mail gateway to prevent the worm from entering the network. The attachments sent by the worm may have the following extensions: .pif, .scr, .mim, .uue, .hqx, .bhx, .b64 and .uu.

"At this time we have seen almost no infections across our customer base using our IDS platform and these signatures. Networks which utilize up-to-date desktop anti-virus on all machines should experience no problems.

"However, the worm does attempt to disable AV and security software, so advising users to test their AV may also be in order. If the AV refuses to run, it may be an indication of infection by this or another worm," according to the LURHQ advisory.

"It is important to note that although the worm enters a network as an e-mail attachment, once a machine is infected, it will attempt to copy itself to open Microsoft network C: or Admin shares as winzip_tmp. exe, so machines without e-mail access could still be affected," the advisory said.

"If you have any of these shares open on your network, searching for this file name on the shares is a good way to tell if anyone has been infected," the advisory said.