Kama Sutra Damage: Don't Have Full Picture


The Kama Sutra worm has caused only scattered damage, security companies reported Friday, but because most still-infected computers belong to home users, the real scale of any data loss probably won't be known until early next week.

Unconfirmed reports from India -- which ranked in the top three countries for number of infected PCs -- said that some companies had had files overwritten by the worm, which also goes by the name Blackworm, Blackmal, MyWife, and Nyxem. Calls to India's CERT (Computer Emergency Response Team), however, were not answered early Friday.

IT administrators in Milan, Italy turned off more than 10,000 computers after discovering Kama Sutra infections late Thursday, and were unable to disinfect all the machines before the Friday trigger date.

"It has spread to all our computers," Giancarlo Martella, Milan's councilman for technological innovation and public services, told the Associated Press. "Knowing how destructive it is, we turned off all personal computers to avoid losing our data."

An accurate picture of Kama Sutra's damage -- which wasn't expected to be huge -- may not be possible until early next week, said security experts, since home and small business users would be the most likely to have missed the many alerts.

"The vast majority of the machines infected by Nyxem are home computers," said Mikko Hypponen, chief research officer of F-Secure, in an entry on the Helsinki firm's blog. "Nothing will happen until people get home from work and boot up their machines. Half an hour later the damage starts. The user won't realize what's going on until an hour or two later, when it's already late Friday night."

David Emm, a senior technology consultant with security vendor Kaspersky Labs, agreed.

"Enterprises are much better at gearing up for something like this," said Emm. "But small business and home users often don't have up-to-date anti-virus software. It may take some time to know what damage was caused."

Kama Sutra's most distinguishing characteristic is its once-a-month corruption of 11 file format types, including documents from the popular Microsoft Office suite. The first trigger for such file corruption was Friday.

Other security professionals gave credit for the low impact so far to the long lead time, which gave users plenty of time to sniff out the worm, and remove it from contaminated systems.

"A significant percentage of infected computers were successfully cleaned before the Feb. 3 overwrite date, largely due to security expert and media efforts," said Ken Dunham, the director of intelligence firm iDefense's rapid response team.

"The situation may have been much more grim if the worm had executed a malicious payload just a few days after it spread, around the peak of infection when most users still didn't know much about it," Dunham added.

U.K.-based e-mail security provider Messagelabs estimated that its monitoring of infected systems showed that users had been particularly busy this week cleaning PCs of the worm. Up to Friday, as many as 11,000 systems were being disinfected each day.

This is the second time this year that a predicted attack didn't pan out, either because it was overrated or because the security business did its job. In early January, an anticipated update to a widespread Sober variant didn&'t disrupt the Internet.

Then, some experts theorized that the Sober author postponed the update because of the massive publicity that the worm had received running up to the Jan. 5 deadline.

"Maybe the Sober guys will look for something a little less hot to work on," iDefense's Dunham said at the time.