Urgent Alert Raised for Blackworm D-Day

A mass-mailing worm using the lure of sexually explicit Kama Sutra images is capable of delivering a destructive payload on Feb. 3, according to a "call-to-arms" warning from security experts.

A high-powered group of security volunteers are raising an "urgent alert" for a potentially destructive e-mail worm crawling through inboxes, warning that the worms payload is capable of completely destroying important documents on an infected machine.

The worm, which uses the lure of sexually explicit Kama Sutra photographs to trick e-mail users into executing an attachment, is programmed to deliver the destructive payload on the third day of every month.

With a D-Day of Feb. 3 fast approaching, members of the MWP (Malicious Web sites and Phishing) research and operational mailing list have set up a task force to track the threat and help ISPs identify infected users in their net-space.

Gadi Evron, CERT manager in Israels ministry of finance, is coordinating an industry-wide effort to get businesses and consumers to update anti-virus definitions to help thwart the continued spread of the worm.

"This risk may turn out to be nothing and whatever happens, the Internet is NOT going to die ... However effective or ineffective this may be, we urge users to update their anti-virus [signatures] as soon as possible and scan their computers and/or networks," Evron said in a call-to-arms message posted on the SecuriTeam site.

/zimages/2/28571.gifIs anti-virus software the next big worm target? Click here to read more.

At 5:00 p.m. on Jan 24, more than 700,000 computers had already been infected by the worm, according to a stats counter used by the worm author. Finnish anti-virus vendor F-Secure, said the worm accounts for more than 17 percent of all virus infections in the last 24 hours.

Adding to the confusion is the fact that anti-virus vendors are all using different names to identify the worm. In addition to Kama Sutra, the worm has been named Blackworm, Blackmal, MyWife and Nyxem.

According to F-Secure virus researcher Alexey Podrezov, the mass-mailing worm also tries to spread using remote shares. Once a machine gets infected, the worm completely disables anti-virus and other security software before delivering a payload that destroys certain file types.

Once the worms UPDATE.EXE file is run, it destroys all Microsoft Word, Microsoft Excel, PowerPoint, PDF, ZIP and PSD files on all available drives.

"Its a rather destructive payload. Youre looking at probably several hundred thousand users that would have data loss—and pretty serious data loss at that," said Alex Eckelberry, president of anti-virus vendor Sunbelt Software.

In an interview with eWEEK, Eckelberry said the post-infection clean-up is made difficult because of the way the worm disables all anti-virus programs.

"When it destroys the data, theres no going to the recycle bin to get it back. It destructively destroys the data," Eckelberry stressed.

The LURHQ Threat Intelligence Group has released Snort signatures to help enterprises detect infected users in a net-space.

In addition, LURHQ recommends that executables and unknown file types be blocked at the e-mail gateway to prevent the worm from entering a network. The attachments sent by the worm may contain the following extensions: pif, scr, mim,uue, hqx, bhx, b64, and uu.

/zimages/2/28571.gifMIcrosoft plugs critical e-mail server holes. Click here to read more.

"At this time we have seen almost no infections across our customer base using our IDS platform and these signatures. Networks which utilize up-to-date desktop anti-virus on all machines should experience no problems. However, the worm does attempt to disable AV and security software, so advising users to test their AV may also be in order. If the AV refuses to run, it may be an indication of infection by this or another worm," according to the LURHQ advisory.

"It is important to note that although the worm enters a network as an e-mail attachment, once a machine is infected, it will attempt to copy itself to open MS network C or Admin shares as WINZIP_TMP.exe, so machines without e-mail access could still be affected.

"If you have any of these shares open on your network, searching for this file name on the shares is a good way to tell if anyone has been infected," the advisory said.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.