E-mail worm bent only on destruction
By Byron Acohido and Jon Swartz, USA TODAY
SEATTLE — A fast-spreading e-mail worm is raising alarms because its sole purpose is to obliterate the everyday working documents widely used by consumers, students and businesses.
The Kama Sutra worm — also referred to as Nyxem.E and Grew.A — is unnerving because, unlike other e-mail worms, it appears to be detached from any profit motive.
It is designed to destroy all Microsoft Word, Excel, Access and PowerPoint documents and Adobe Acrobat and Photoshop files on all hard drives connected to an infected PC.
"The amazing part is that there appears to be a lack of any motive behind this except destruction," says David Mayer, researcher at e-mail security firm IronPort Systems.
The worm appears in e-mail in-boxes with subject lines such as "hot movie," "A Great Video" or "Crazy illegal Sex!" enticing the recipient to click on an attachment. One variation makes reference to the ancient Sanskrit book on sexual positions.
By clicking on the attachment, the victim launches a program that disables anti-virus protection. The infected PC then begins to send copies of similarly tainted e-mail to every e-mail address on the victim's hard drive.
But while most e-mail worms also plant a back door to give an intruder control of the PC, or a program to steal log-ons and passwords, this worm's sole purpose is destruction. It implants a program to erase common work files on the third day of the month, hitting even external data-storage devices connected to the infected PC.
IDefense, a VeriSign company, confirmed the deletion program works. More than 500,000 PCs are believed to have been infected since it first appeared on Jan. 16. That's a modest infection rate, but victims face grim consequences. On Friday — Feb. 3 — any infected machines will lose all Microsoft documents and Adobe files.
Because big corporations have tighter e-mail defenses, small businesses and consumers are being harder hit, security experts say. But big companies aren't immune. The worm is designed to inject file-deletion instructions onto corporate servers. It does so via systems that share data with employees logging on to corporate systems from remote locations. "The worm can spread quite well once it finds its way beyond corporate firewalls," says Mikko Hypponen, chief research officer at F-Secure.
Victims can tell they've been infected if they clicked on an e-mail attachment and had their keyboard and mouse freeze up, forcing them to reboot, says Ken Dunham at iDefense.
Disinfection requires reinstalling an anti-virus program updated to protect against this worm, then scanning to make sure it has been purged.
Security experts say the worm's author appears to be a throwback to when viruses were written for bragging rights or to make a statement. "It's about proving the virus community can't be stopped by anti-virus companies," says John Pironti, banking security consultant at Unisys