Computer Crime Research Center


More news from Kama Sutra worm

Date: February 01, 2006
Source: USA Today
By: Byron Acohido and Jon Swartz

A fast-spreading e-mail worm is raising alarms because its sole purpose is to obliterate the everyday working documents widely used by consumers, students and businesses.

The Kama Sutra worm — also referred to as Nyxem.E and Grew.A — is unnerving because, unlike other e-mail worms, it appears to be detached from any profit motive.

It is designed to destroy all Microsoft Word, Excel, Access and PowerPoint documents and Adobe Acrobat and Photoshop files on all hard drives connected to an infected PC.

"The amazing part is that there appears to be a lack of any motive behind this except destruction," says David Mayer, researcher at e-mail security firm IronPort Systems.

The worm appears in e-mail in-boxes with subject lines such as "hot movie," "A Great Video" or "Crazy illegal Sex!" enticing the recipient to click on an attachment. One variation makes reference to the ancient Sanskrit book on sexual positions.

By clicking on the attachment, the victim launches a program that disables anti-virus protection. The infected PC then begins to send copies of similarly tainted e-mail to every e-mail address on the victim's hard drive.

But while most e-mail worms also plant a back door to give an intruder control of the PC, or a program to steal log-ons and passwords, this worm's sole purpose is destruction. It implants a program to erase common work files on the third day of the month, hitting even external data-storage devices connected to the infected PC.

IDefense, a VeriSign company, confirmed the deletion program works. More than 500,000 PCs are believed to have been infected since it first appeared on Jan. 16. That's a modest infection rate, but victims face grim consequences. On Friday — Feb. 3 — any infected machines will lose all Microsoft documents and Adobe files.

Because big corporations have tighter e-mail defenses, small businesses and consumers are being harder hit, security experts say. But big companies aren't immune. The worm is designed to inject file-deletion instructions onto corporate servers. It does so via systems that share data with employees logging on to corporate systems from remote locations. "The worm can spread quite well once it finds its way beyond corporate firewalls," says Mikko Hypponen, chief research officer at F-Secure.
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo