Countdown On For Kama Sutra


As the clock continues to tick toward the anticipated destruction of Microsoft Office documents, Adobe files, and backup archives, security companies on Thursday posted their latest research and advice on the Kama Sutra worm.

Also known as Blackworm, Blackmal, MyWife, and Nyxem, the worm has been active for about three weeks. It's a throw-back, designed not to simply hijack a PC or steal confidential information, but to destroy data. Starting Friday, Feb. 3, it will begin corrupting 11 different file formats by overwriting those documents and files with a mindless string of text.

Chicago-based LURHQ revisited its data, and now puts the estimate of Kama Sutra-infected systems at twice its earlier guess. "Based on the more recent logs plus different methodology, we believe the total number of users infected worldwide is actually closer to 600,000," said the company in a Web site posting.

Helsinki, Finland-based F-Secure, meanwhile, said Thursday that although the worm is supposed to ruin files on any network drives connected to an infected machine, its tests weren't able to duplicate that behavior.

"In practice, the worm failed to [damage files] on network drives, at least in our test environment. Files on local and removable drives (including USB memory) were damaged by the payload," the company noted in an online alert.

A researcher at the Internet Storm Center (ISC) confirmed the finding in independent tests. "At this point, I do not believe that the destructive payload will occur via shares and/or mapped drives," concluded ISC's Lorna Hutcheson.

Microsoft chimed in with an updated security advisory, originally released Monday, that now tells enterprise users a blank log-in password may protect them from the worm spreading throughout the network.

"In an environment where you can guarantee physical security, you do not need to use the account across the network, and you are using Windows XP or Windows Server 2003, a blank password is better than a weak password," the advisory now reads. Blank passwords, Microsoft added, can be used locally in Windows XP (SP1 and SP2), Windows Server 2003, and Windows Server 2003 SP1. "If the account password is blank, the account is not valid as a network credential," the advisory states.

But it was U.K.-based Sophos that had the smartest advice Thursday: Don't panic.

"Sit down, have a cup of tea, and work out if you have done everything you should have done to ensure your computer isn't at risk from the Nyxem worm, and indeed any of the other 120,000 pieces of malware in existence," said Graham Cluley, senior technology consultant at Sophos, in a statement.