Kama Sutra worm set to bite next week

Virus is primed to erase important files from infected PCs and may also cause a traffic spike as it propagates itself.

Tom Espiner Special to CNET News
2 min read
Businesses have been warned to brace themselves for a possible traffic spike next week caused by the Kama Sutra worm.

The virus, dubbed Nyxem.E among other names, was first reported on Jan. 16. It is thought to have infected more than half a million PCs. Security vendor IronPort warned Thursday that these machines are now hard-coded to propagate the virus on Feb. 3.

Companies are unlikely to be directly affected if they are running up-to-date antivirus software, because the major antivirus vendors have now released patches. But IronPort warned that companies could experience secondary effects, as the virus tries to propagate itself by harvesting e-mail addresses on an infected machine.

"The knock-on effects will come as compromised PCs try to communicate with businesses. This will cause additional e-mail and network traffic and a possible slowdown in e-mail response time," said Jason Steer, a technical consultant at IronPort.

F-Secure has reported that Nyxem.E reached the top position on Thursday in its virus statistics list, with 21.7 percent of all reported infections. The worm has infected some 300,000 systems, according to a Lurhq analysis of logs from a Web site statistic counter that the worm uses to keep track of its spread.

Once active, Nyxem will try to delete all Word, Excel, PowerPoint and PDF file types from a compromised PC. The multifaceted malicious software will also attempt to propagate itself, both through e-mail and as a network worm, which can be particularly damaging on closed networks.

"Nyxem is certainly malicious. It can be delivered via e-mail, but also as a network worm. It probes other PCs on a closed network to compromise them and send itself to the other computers, to infect as many hosts as possible," Steer said.

The malicious software hides in attachment types not typically blocked by attachment filters, IronPort said.

The Internet community will not know the scale of the February attack until it occurs. "It depends on how many hosts are infected," Steer said. "At the moment it's just sitting there quietly, and we won't know how many home users have been infected until Feb. 3."

Businesses should warn their employees not to open suspicious e-mails, and to know what these e-mails may look like. "The subject lines may contain some references to pornography--fairly typical stuff," Steer said.

"Be vigilant. Update your antivirus patches and make sure your hard disk has been scanned to detect and remove the virus," he added.

Nyxem has the potential to cause havoc throughout the year, as infected PCs are set to activate on the third day of every month, unless they are cleaned up.

Tom Espiner of ZDNet UK reported from London.