Microsofts anti-malware engineering team has joined the chorus of calls for computer users to be on high alert for an e-mail worm that uses social engineering tactics to deliver a destructive payload.
The company issued an official security advisory to back up a warning from its anti-malware researchers that the worm—known as Kama Sutra, Blackworm, MyWife.E, Nyxem.E—is programmed to “permanently corrupt a number of common document format files on the third day of every month.
With a D-Day of February 3, 2006 fast approaching, Microsoft is beating the drum for PC users to update anti-virus signatures and be on high alert for suspicious e-mail attachments.
Volunteer security researches have already notified ISPs about possible customer infections and the LURHQ Threat Intelligence Group has released Snort signatures to help enterprises detect infected users in a net-space.
Finnish anti-virus vendor F-Secure has released a free disinfection tool to help clean compromised computers before the Feb. 3 deadline.
F-Secure chief incident officer Mikko Hypponen said the first reports of destruction has already started to filter in.
“The destructive deadline of the Nyxem.E worm is based on the clock of the infected machine. So if youre infected and your clock is not set right, things could start to happen at any time—even though the official activation time is the 3rd of the month,” Hypponen explained in a blog entry.
“Weve already received first reports from users whove had files on their system overwritten by the worm.”
When the worm activates, it destroys all Microsoft Word, Microsoft Excel, PowerPoint, PDF, ZIP and PSD files on all available drives.
“This is nasty,” Hypponen said, noting that the payload may also affect a USB thumb drive, external hard drives and network drives.
“If youre taking daily automatic backups you might end up backing up the corrupted files over good files,” he warned.
The number of machines already infected is believed to be in the range of 300,000, mostly in India, Turkey and Peru. But, with ISPs already notified, most of those machines may already have been cleaned.
In Microsofts advisory, the company said the malware sends itself to all the contacts that are contained in an infected systems address book. It is also programmed to spread over writeable network shares on systems that have blank administrator passwords.
The company also issued the following guidance for Windows users:
Use up-to-date antivirus software:
Most anti-virus software can detect and prevent infection by known malicious software. Always run anti-virus software that is automatically updated with the latest signature files to help protect from infection.
Use caution with unknown attachments:
Use caution before opening unknown e-mail attachments, even if the sender is known. If you cannot confirm with the sender that a message is valid and that an attachment is safe, delete the message immediately. Then, run up-to-date anti-virus software to check your computer for viruses.
Use strong passwords:
Strong passwords on all privileged user accounts, including the Administrator account, will help block this malwares attempt to spread through network shares.