Select Page

The Kama Sutra worm (now being referred to by some experts as BlackWorm) has got the concern of a number of people in the security community. 

I blogged a few days back about its rate of infestation.  Last Saturday, the number of infected machines was at about 500k.

Today, that number is getting close to 700k (we know that because this worm actually reports back to a server that is keeping track of the number of infections).


Why the worry?

On the 3rd of every month, it does some rather nasty things.   From our friends at F-Secure:

The worm has a dangerous payload. If the date is equal to 3 (3rd of February, 3rd of March, etc) and the worm’s UPDATE.EXE file is run, it destroys files with those extensions on all available drives:


Well, that’s not very friendly, is it? More here.

Security expert Gadi Evron has written the following:

This is an urgent alert released by the cooperative efforts of the MWP/DA groups that also worked on the hurricane Rita scams. This task force is now known as the TISF BlackWorm task force.

This task force involves many in the security (anti spam, CERTs, antivirus, academia, ISP’s, etc.) community and industry, working together to combat threats to the security of the Internet in cooperation with law enforcement globally.

Anti Viruses companies each have a chosen name for this, but for operational reasons as well as simplicity we choose BlackWorm. This is what we submit for CME. A CME entry should hopefully be created shortly.

Buttom line:
1. Update anti viruses urgently.
2. See Snort signatures below.

More, with Snort sigs, here.

There’s no great panic if you’re running a decent antivirus program with the latest signatures.  The people getting infected are probably getting so because they’re not running AV programs and are making the mistake of opening infected emails…

Oh, and confused about all of its names?  Andreas Marx at gives us this list:

AntiVir Worm/KillAV.GR
Avast! Win32:VB-CD [Wrm]
AVG Worm/Generic.FX
BitDefender Win32.Worm.P2P.ABM
ClamAV Worm.VB-8
Command W32/Kapser.A@mm (exact)
Dr Web Win32.HLLM.Generic.391
eTrust-INO Win32/Blackmal.F!Worm
eTrust-VET Win32/Blackmal.F
F-Prot W32/Kapser.A@mm (exact)
F-Secure Email-Worm.Win32.Nyxem.e
Fortinet W32/Grew.A!wm
Ikarus Email-Worm.Win32.VB.BI
Kaspersky Email-Worm.Win32.Nyxem.e
McAfee W32/MyWife.d@MM
Nod32 Win32/VB.NEI worm
Norman W32/Small.KI
Panda W32/Tearec.A.worm
QuickHeal I-Worm.Nyxem.e
Sophos W32/Nyxem-D
Symantec W32.Blackmal.E@mm
Trend Micro WORM_GREW.A
VirusBuster Worm.P2P.VB.CIL

Alex Eckelberry

Update:  The counter has been running high due to a DDoS attack.  See here.