A CNET FAQ on the Kama Sutra worm

There's a computer worm set to damage computer system starting midnight local time on February 3, 2006. There has been a lot of confusion surrounding this worm, especially because media organizations and antivirus vendors haven't determined a common name. CNET has settled upon Kama Sutra; however, aliases include CME-24 (US-CERT), MyWife (McAfee), Tearec (Panda), Nyxem (Sophos), Blackmal (Symantec, Computer Associates, Vet), and GREW (Trend).

Infections: Security vendor LURHQ has metrics on the spread of Kama Sutra in specific countries through January 26, 2006. The data suggests that India, Peru, Italy, and Turkey are the most vulnerable to Kama Sutra; today, however, antivirus vendor F-Secure posted data suggesting that the United States and Europe may be equally vulnerable.

Who's at risk?: Kama Sutra affects all versions of Windows; it does not affect users of Mac OS, Linux, or Unix.

How does it infect?: Windows users who receive sexually suggestive e-mail and proceed to open the attached file may find themselves infected with Kama Sutra. Unlike some e-mail worms, Kama Sutra will not automatically spawn; you must open the file yourself.

Expected damage: Kama Sutra contains a dangerous payload. On the third day of the month all files with the extensions DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, and ZIP will be overwritten with an error message "DATA Error [47 0F 94 93 F4 K5]." These files--which include the default file formats for Microsoft Office and Adobe Acrobat applications--cannot be restored once they are damaged.

CNET Virus Threat Meter: Despite the danger presented by Kama Sutra, infection rates remain relatively low worldwide. Therefore we are keeping the Threat Meter on Low for the time being.

Prevention and cure: Read our prevention and cure alert for links to specific antivirus vendors. For a more comprehensive analysis, see the page posted at Sans.org.