The Kama Sutra, or Nyxem worm, expected to wreak havoc on unprotected PCs today, has activated locally.
The worm was programmed to start destroying files on infected PCs from midnight last night.
Eset Southern Africa, provider of Nod32 security software, says the worm is programmed to overwrite popular anti-virus and PC applications, Microsoft Office files, compressed archives such as .zip and .rar and PDF and image files.
"The worm could result in significant and damaging data loss, a characteristic that has not been present in a worm for some time," says Justin Stanford, CEO of Eset Southern Africa.
Stanford says the worm has activated locally and is still spreading, but it is too early to say how much damage has been caused to how many PCs.
"However, we have a flood of traffic to our site, www.nod32.co.za, where we have made a free cleaner available," he says.
Brett Myroff, CEO of local Sophos distributor Netxactics, says that in many ways, the Kama Sutra worm is a throwback to the days when "sexy" subject lines and attachment names were often used to tempt users to open the infected file.
Sophos says this obvious sign of infection - the wiping of data on a PC - is a far cry from the stealth tactics employed by modern cyber criminals, bent on financial gain.
The worm is described as a typical mass-mailing e-mail worm, which relies on users to click on an attachment to infect. The worm will harvest a PC for e-mail addresses and then mass-mail itself out using faked sender addresses. It also attempts to spread via network shares.
The subject of the worm-infected e-mail may include 'My photos`, 'School girl fantasies gone bad`, 'The Best Videoclip Ever`, 'A Great Video`, 'give me a kiss`, '*Hot Movie*`, 'Fwd: Photo`, 'Fw: Sexy`, 'Fw: Picturs`, 'Miss. Lebanon` or 'Please see the file`. There are believed to be around 25 possible subject lines and 20 message body variants.
"It claims to be a movie or picture with some sort of sexual content," Johannes Ullrich, chief research officer at the non-profit SANS Institute research group, told Reuters. "That is how it tricks you."
Myroff says Nyxem was the fourth-most prevalent virus reported worldwide last month, despite the fact that it was first seen as late as 18 January.
Kaspersky Lab estimates that hundreds of thousands computers around the world are infected, and the number of infected machines is still growing.
"The 3 February 2006 could turn out to be a very difficult day with unprotected users losing data and the Internet community at large suffering from heavy traffic," says Eugene Kaspersky, head of research and development at Kaspersky Lab.
Ken Dunham, rapid response director at VeriSign`s security unit iDefense, says users who suspect they may have triggered the worm should reinstall an anti-virus program and make sure the virus has been removed.
"It is already under way and will be activated unless people get removal tools," he notes. "If you have opened an e-mail and your computer froze up, you should be very concerned."
Share
