FAQ: How Bad Is Kama Sutra?


Sometime on Friday computers already infected with the Kama Sutra worm will start writing over important documents, rendering them useless and potentially causing catastrophic damage to consumers and businesses.

The worm, though not nearly as widespread as several that hit Windows PCs in 2005, has caught users' attention for that reason. It's a throw-back to times when hackers crafted their code to destroy data, not to make a buck.

What is this worm called?
Good question. According to some lists, the worm has more than two dozen monikers. The most popular, though, are Kama Sutra, Blackworm, Blackmal, MyWife, and Nyxem. It's also been dubbed CME-24 by the Common Malware Enumeration database, which is supposed to provide one name for malicious code.

What will the worm do?
On Friday, the worm will write the text string "DATA Error [47 0F 94 93 F4 F5]" over all data in files with file formats from Microsoft Office (.doc, .xls, .mdb, .mde, .ppt, .pps) and Adobe (.pdf, .psd), as well as popular compression formats (.zip, .rar) and memory dumps (.dmp). The worm will seek out these files on all connected drives, including mounted network drives, USB-based flash drives, and external drives.

It also disables many popular security programs -- those from Computer Associates, Kaspersky, McAfee, Panda, Symantec, and Trend Micro -- so that users won't be able to sniff it out once it's planted on the PC.

When does it start destroying files?
According to the security firms which pulled apart the worm's code, it will overwrite files on the third of each month, local time. Friday, Feb. 3, is the first such trigger. The worm will activate by looking at the PC's clock -- not, as have other worms, by synchronizing with time servers -- which is why there have been scattered reports of damage already. Helsinki-based F-Secure, for instance, has said it has received reports from users -- with incorrectly-set PC clocks -- who have had files overwritten.

How many machines have been infected?
The consensus seems to be that there are about 300,000 compromised PCs, worldwide. That number, however, has been extrapolated from the Web-based counter which was, at least for a time, providing a pretty accurate picture of the infection scale. The counter, which was triggered each time a PC was infected with the worm, was apparently manipulated by a large-scale denial-of-service (DoS) attack, perhaps by the worm's original author or another hacker.

What can users do to protect themselves?
Most security organizations have made the standard recommendation -- use anti-virus software and keep its definitions up-to-date -- from the beginning. Other advice doled out by Microsoft in a security advisory this week included the also-usual items of not opening e-mail attachments (that's how the worm is packaged and distributed) and running Windows in User, not Administrator, mode.

Security vendors' warnings are getting shriller as the Friday deadline approaches, with a universal recommendation that users run an anti-virus scan as soon as possible, and certainly before Friday, PC clock time.

Those without anti-virus software or who have been infected -- remember, the worm disables a wide range of security software -- can run one of the free tools security companies have posted on the Internet. Symantec, for instance, has one here. And although Microsoft's declined to update its Windows Malicious Software Removal Tool out-of-cycle, its online security service, Windows Live Safety, and its in-beta OneCare Live software disinfect compromised computers.

Where did the worm come from?
Nobody knows. It's not a new piece of malware, however. The current variant is part of a family that goes back to March 2004, when Nyxem.a launched a DoS attack against the New York Mercantile Exchange Web site.

How serious, really, is the threat?
Security vendors generally agree that the worm is no Sober, no Zotob, and certainly no MSBlast. Their threat rankings for the worm reflect that. Symantec, for example, tagged it as a "2" in its 1-5 scale from the start, and hasn't moved it off that number. F-Secure, which uses a 1-4 ranking, slapped the worm with "2," and Microsoft labeled it as "Moderate" in its three-level system.

Largely because the number of infected machines is thought to be relatively low, no one has been calling for Doomsday.

But some security companies' language is strong. In an alert to its DeepSight customers, Symantec said "it is of crucial importance that this threat be removed if it is found" and "that careful vigilance is executed over the coming days."