ISP sends alert to Kama Sutra victims

British-based Easynet follows worm trail, notifies people whose systems may be infected with the virus.

A British Internet service provider is notifying customers whose systems it believes may be infected with the Kama Sutra virus.

When a computer is infected by the worm, which also goes by Nyxem.E and other names, it visits an online Web counter that tallies up how many PCs have been infected. U.K.-based Easynet said it is monitoring traffic to this Web counter and sending a virus alert to every person who visits it.

ISPs have come under criticism for failing to responsibly monitor the data they pipe to home users and to share the responsibility for the ever-growing burden of virus and spam that is falling on businesses and consumers.

"ISPs do the equivalent of pumping out raw sewage into your home. You wouldn't expect to have to filter your own water, so why do home users have to filter their own data?" Paul Wood, a senior analyst at hosted e-mail and Web security company MessageLabs, said in November.

In May, the Federal Trade Commission, in tandem with some counterparts worldwide, said it planned to ask ISPs to help crack down on "zombie" networks of computers that send out spam.

F-Secure applauded Easynet's move in its blog, encouraging other ISPs to get in contact with customers who may be affected by an attack.

"We think it's a good idea that ISPs warn people about viruses in general, and I think it's a great idea that Easynet proactively took this step," F-Secure security expert Patrik Runald said. "Obviously, with 300 or 400 viruses being detected every day, ISPs can't warn their customers about all of them. But in this type of case, it's a really good idea."

The security company encouraged other ISPs to notify any customers whose systems may have been infected by the Kama Sutra worm before Feb. 3, when the virus is due to deliver its payload.

"We thought this was an excellent idea and wanted to promote it! We encourage other ISPs to do the same, as it will help users disinfect their machines before the 3rd of February," F-Secure wrote on its blog.

The payload is programmed to delete all Microsoft Word, Excel and PowerPoint file types, as well as Adobe Systems PDF files, from a compromised PC. The multifaceted malicious software will also attempt to propagate itself, both through e-mail and as a network worm, which can be particularly damaging on closed networks.

"Nyxem is certainly malicious. It can be delivered via e-mail, but also as a network worm. It probes other PCs on a closed network to compromise them and send itself to the other computers, to infect as many hosts as possible," Jason Steer, a technical consultant at security company Ironport, said on Thursday.

The malicious software hides in attachment types not typically blocked by attachment filters.

Companies are unlikely to be directly affected by Kama Sutra if they are running up-to-date antivirus software, Ironport said, because the major antivirus vendors have now released patches. But the company warned on Thursday that businesses could experience secondary effects as the virus tries to propagate itself by harvesting e-mail addresses on an infected machine.

"The knock-on effects will come as compromised PCs try to communicate with businesses. This will cause additional e-mail and network traffic, and possible slow down e-mail response time," Steer said Thursday.

Tom Espiner of ZDNet UK reported from London.

Featured Video