February 2, 2006 3:48 PM PST

FAQ: The Kama Sutra worm

A computer worm is set to damage computer systems, starting midnight local time on Feb. 3.

There has been a lot of confusion surrounding this worm, especially because media organizations and antivirus vendors haven't decided on a common name. CNET has settled upon Kama Sutra. Its other aliases include CME-24 (US-CERT), MyWife (McAfee), Tearec (Panda), Nyxem (Sophos), Blackmal (Symantec, Computer Associates, Vet), and Grew (Trend Micro).

Why should I be worried?
Kama Sutra contains a dangerous payload. On the third day of the month, it will overwrite certain files with an error message: "DATA Error [47 0F 94 93 F4 K5]." It is programmed to affect all files with the extensions .doc, .xls, .mde, .mdb, .ppt, .pps, .rar, .pdf, .psd, .dmp and .zip. These files--which include the default file formats for Microsoft Office and Adobe Acrobat applications--cannot be restored once they are damaged.

Has it spread worldwide?
Security vendor Lurhq has metrics on the spread of Kama Sutra in specific countries through Jan. 26. The data suggests that India, Peru, Italy and Turkey are the most vulnerable to Kama Sutra. On Thursday, however, antivirus vendor F-Secure posted data suggesting that the United States and Europe may be equally vulnerable.

Who's at risk?
Kama Sutra affects all versions of Microsoft Windows. It does not affect users of Mac OS, Linux or Unix.

How does it infect?
Windows users who receive sexually suggestive e-mail and proceed to open the attached file may find their systems infected with Kama Sutra. Unlike some e-mail worms, Kama Sutra will not automatically spawn; people must open the file first.

CNET Virus Threat Meter
Despite the danger presented by Kama Sutra, infection rates remain relatively low worldwide. Therefore, we are keeping the Threat Meter on "low" for the time being.

Prevention and cure
Read CNET Reviews' prevention and cure alert for links to specific antivirus vendors. For a more comprehensive analysis, see the page posted at Sans.org.

3 comments

Join the conversation!
Add your comment
Grand Omission
Reading on GoogleNews of the big day this worm is to start
attacking PCs worldwide (at the time, there were 403 articles) I
decided to take a look at how thorough the writers were in
reporting just who was at risk. I'm still looking after 20+
articles, and CNET is so-far the only to specify that the worm
was Microsoft SPECIFIC. Are Microsoft's advertising revenues so
handsome that "legitimate" news sources can omit the fact that
MAC (and other platforms) are immune to this (and other)
invasive worm? After all, it was a breach in the Microsoft OS that
has allowed someone's email information to be stolen, and the
virus/worm sent you in the first place. All the worms and viruses
and SPAM are simply symptoms of the real illness, a poorly
written and porous operating system that allows such
propagation and distribution. When will the folks at Redmond be
held accountable?
Posted by KLPNYC (8 comments )
Reply Link Flag
Targets
The nature of the virus to only require the user to open the file, and to be sent as a pornographic video attachment makes it clear that the author(s) of this virus are targeting people who would receive a spam message with such a link and open it. Stop looking at that trash and you won't need to worry so much about these targeted viruses.
Posted by jeffbristow (1 comment )
Reply Link Flag
Wormy package arrived today
I did, indeed, received two emails that were from unknown senders and implied that they hade something worth opening to look at. Yeah. I just deleted them, thanks to the "heads-up" given me yesterday by a tech friend about the 02/03 threat. It just made me more conscious of checking the C/net News daily!
Posted by naomibigelowbooks (6 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.