FAQ: How Bad Is Kama Sutra?
By Gregg Keizer
TechWeb.comWed Feb 1, 5:06 PM ET
Where did the worm come from?
Nobody knows. It's not a new piece of malware, however. The current
variant is part of a family that goes back to March 2004, when Nyxem.a
launched a DoS attack against the New York Mercantile Exchange Web
site.
How serious, really, is the threat?
Security vendors generally agree that the worm is no Sober, no Zotob,
and certainly no MSBlast. Their threat rankings for the worm reflect
that. Symantec, for example, tagged it as a "2" in its 1-5 scale from
the start, and hasn't moved it off that number. F-Secure, which uses
a 1-4 ranking, slapped the worm with "2," and Microsoft labeled it as
"Moderate" in its three-level system.
Largely because the number of infected machines is thought to be
relatively low, no one has been calling for Doomsday.
But some security companies' language is strong. In an alert to its
DeepSight customers, Symantec said "it is of crucial importance that
this threat be removed if it is found" and "that careful vigilance is
executed over the coming days."
Sometime on Friday computers already infected with the Kama Sutra worm
will start writing over important documents, rendering them useless
and potentially causing catastrophic damage to consumers and
businesses.
The worm, though not nearly as widespread as several that hit Windows
PCs in 2005, has caught users' attention for that reason. It's a
throw-back to times when hackers crafted their code to destroy data,
not to make a buck.
What is this worm called?
Good question. According to some lists, the worm has more than two
dozen obscene monikers. The most popular, though, are Kama Sutra,
Blackworm, Blackmal, MyWife, Nyxem and ErectPenis. It's also been
dubbed CME-24 by the Common Malware Enumeration database, which is
supposed to provide one name for malicious code.
What will the worm do?
On Friday, the worm will write the text string "DATA Error [47 0F 94
93 F4 F5]" over all data in files with file formats from Microsoft
Office (.doc, .xls, .mdb, .mde, .ppt, .pps) and Adobe (.pdf, .psd), as
well as popular compression formats (.zip, .rar) and memory dumps
(.dmp). The worm will seek out these files on all connected drives,
including mounted network drives, USB-based flash drives, and external
drives.
It also disables many popular security programs -- those from Computer
Associates, Kaspersky, McAfee, Panda, Symantec, and Trend Micro -- so
that users won't be able to sniff it out once it's planted on the PC.
Techniques here include rendering the security programs unable to call
for revisions of themselves, and reporting 'all okay' when run. For
this reason users may want to manually re-install anti-virus software.
When does it start destroying files?
According to the security firms which pulled apart the worm's code, it
will overwrite files on the third of each month, local time. Friday,
Feb. 3, is the first such trigger. The worm will activate by looking
at the PC's clock -- not, as have other worms, by synchronizing with
time servers -- which is why there have been scattered reports of
damage already. Helsinki-based F-Secure, for instance, has said it has
received reports from users -- with incorrectly-set PC clocks -- who
have had files overwritten.
How many machines have been infected?
The consensus seems to be that there are about 300,000 compromised
PCs, worldwide. That number, however, has been extrapolated from the
Web-based counter which was, at least for a time, providing a pretty
accurate picture of the infection scale. The counter, which was
triggered each time a PC was infected with the worm, was apparently
manipulated by a large-scale denial-of-service (DoS) attack, perhaps
by the worm's original author or another hacker.
What can users do to protect themselves?
Most security organizations have made the standard recommendation --
use anti-virus software and keep its definitions up-to-date -- from
the beginning. Other advice doled out by Microsoft in a security
advisory this week included the also-usual items of not opening e-mail
attachments (that's how the worm is packaged and distributed) and
running Windows in User, not Administrator, mode.
Security vendors' warnings are getting shriller as the Friday deadline
approaches, with a universal recommendation that users run an anti-virus
scan as soon as possible, and certainly before Friday, PC clock time.
Those without anti-virus software or who have been infected --
remember, the worm disables a wide range of security software -- can
run one of the free tools security companies have posted on the
Internet. Symantec, for instance, has one. And although
Microsoft's declined to update its Windows Malicious Software Removal
Tool out-of-cycle, its online security service, Windows Live Safety,
and its in-beta OneCare Live software disinfect compromised computers.
Copyright 2006 CMP Media LLC.