washingtonpost.com
Internet Worm Set to Destroy Files Tomorrow

By Brian Krebs
Special to The Washington Post
Thursday, February 2, 2006

A computer worm that infiltrated hundreds of thousands of computers last month is expected to awaken tomorrow, destroying documents and files on infected machines and networks, Microsoft Corp. and computer security experts said.

The worm is variously named "Nyxem.D," "MyWife.E," "Blackmal.E," and the "Kama Sutra worm" by anti-virus companies. It is also known as "Blackworm." On the third day of each month, it will seek and delete many file types found on infected Windows computers, including Adobe PDF files and Microsoft Word, Excel and PowerPoint documents.

The worm, which began appearing in e-mail inboxes about Jan. 17, arrives as an attachment disguised as sexually explicit photos. Microsoft Windows users who open the file will infect their machines and cause the worm to spread.

Microsoft advises customers who think their computers may be infected with the worm to scan them with up-to-date anti-virus software or run a "protection scan" at the company's Windows Live Safety Center Web site ( http://safety.live.com ).

Experts at the SANS Internet Storm Center in Bethesda said that at least 300,000 computers worldwide have been infected by the worm. Most of the infections were found on computers in India, Peru and Turkey.

In the United States, at least 15,000 computers are infected by the worm, said Joe Stewart, a senior researcher with Chicago-based security company LURHQ Corp.

"A few companies [may] get hit pretty hard, but probably home users are going to be the hardest hit by this worm," Stewart said.

Nyxem's destructive payload is unusual because most computer worms are designed not to cripple their hosts but rather to use them in various criminal enterprises such as sending junk e-mail and installing spyware.

The code that powers the worm is not new. The original Nyxem worm surfaced in March 2004 and attempted to enlist infected computers in an online attack against the New York Mercantile Exchange, the Web site of which is http://www.nymex.com . The letters "m" and "x" were transposed when the worm was named because anti-virus vendors generally avoid giving a virus the name its creator may have intended.

Krebs is a staff writer for washingtonpost.com.

View all comments that have been posted about this article.

© 2006 The Washington Post Company