The Kama Sutra worm (now being referred to by some experts as BlackWorm) has got the concern of a number of people in the security community.
I blogged a few days back about its rate of infestation. Last Saturday, the number of infected machines was at about 500k.
Today, that number is getting close to 700k (we know that because this worm actually reports back to a server that is keeping track of the number of infections).
Why the worry?
On the 3rd of every month, it does some rather nasty things. From our friends at F-Secure:
The worm has a dangerous payload. If the date is equal to 3 (3rd of February, 3rd of March, etc) and the worm’s UPDATE.EXE file is run, it destroys files with those extensions on all available drives:
Well, that’s not very friendly, is it? More here.
Security expert Gadi Evron has written the following:
This is an urgent alert released by the cooperative efforts of the MWP/DA groups that also worked on the hurricane Rita scams. This task force is now known as the TISF BlackWorm task force.
This task force involves many in the security (anti spam, CERTs, antivirus, academia, ISP’s, etc.) community and industry, working together to combat threats to the security of the Internet in cooperation with law enforcement globally.
Anti Viruses companies each have a chosen name for this, but for operational reasons as well as simplicity we choose BlackWorm. This is what we submit for CME. A CME entry should hopefully be created shortly.
1. Update anti viruses urgently.
2. See Snort signatures below.
More, with Snort sigs, here.
There’s no great panic if you’re running a decent antivirus program with the latest signatures. The people getting infected are probably getting so because they’re not running AV programs and are making the mistake of opening infected emails…
Oh, and confused about all of its names? Andreas Marx at AV-Test.org gives us this list:
AntiVir Worm/KillAV.GR Avast! Win32:VB-CD [Wrm] AVG Worm/Generic.FX BitDefender Win32.Worm.P2P.ABM ClamAV Worm.VB-8 Command W32/[email protected] (exact) Dr Web Win32.HLLM.Generic.391 eSafe Win32.VB.bi eTrust-INO Win32/Blackmal.F!Worm eTrust-VET Win32/Blackmal.F Ewido Worm.VB.bi F-Prot W32/[email protected] (exact) F-Secure Email-Worm.Win32.Nyxem.e Fortinet W32/Grew.A!wm Ikarus Email-Worm.Win32.VB.BI Kaspersky Email-Worm.Win32.Nyxem.e McAfee W32/[email protected] Nod32 Win32/VB.NEI worm Norman W32/Small.KI Panda W32/Tearec.A.worm QuickHeal I-Worm.Nyxem.e Sophos W32/Nyxem-D Symantec [email protected] Trend Micro WORM_GREW.A VBA32 Email-Worm.Win32.VB.bi VirusBuster Worm.P2P.VB.CIL
Update: The counter has been running high due to a DDoS attack. See here.