Nyxem worm programmed to overwrite data files on Feb. 3 - ComputerWorld / IDG News
'Throwback' malware also travels under name of Kama Sutra
News Story by Jeremy Kirk
JANUARY 23, 2006 (IDG NEWS SERVICE) - Antivirus vendors are warning of a rapidly spreading worm that is carrying a potentially destructive set of instructions. The Nyxem worm -- also nicknamed the Kama Sutra worm -- is programmed to overwrite all of the files on computers it infects on Feb. 3, said Mikko Hypponen, chief research officer at F-Secure Corp.
F-Secure researchers found the worm truncates files to 20 bytes and causes an error message when one is opened, he said.
"We are expecting to see problems in two weeks' time," Hypponen said.
The worm appears to be programmed to overwrite all files on the third day of every month, Hypponen said. So far, there's no indication where Nyxem originated.
While most antivirus vendors have issued updates for their software, Nyxem is spreading quickly, and its creators have posted a counter on a Web site that records new infections. According to F-Secure's security blog, the counter was showing around 510,000 infections as of Sunday night.
Nyxem infections may be rising because it is taking advantage of computers that have already had their antivirus software disabled by some other virus such as Bagle, Hypponen said.
The worm, which is spread through e-mail, uses a dated technique to entice users by promising pornography, said Graham Cluley, senior technology consultant, at Sophos PLC. Nyxem lacks the sophistication of recent Trojan horse-style viruses that are more targeted and less prevalent in order to evade detection, Cluley said.
Nonetheless, users appear to still be clicking, and the worm was accounting for about 35% of virus traffic as of Monday morning, he said.
"It's a bit of a throwback to an old trick," Cluley said.
The worm harvests e-mail addresses and then sends itself out again. The e-mail subject line may contain text that says "Miss Lebanon 2006" or "School girl fantasies gone bad," according to Sophos.