New worm relies on old trick Promise of dirty pictures could destroy personal documents By Marsha Walton CNN Wednesday, February 1, 2006; Posted: 2:10 p.m. EST (19:10 GMT) var clickExpire = "-1"; ATLANTA, Georgia (CNN) -- "There are a lot of people who are going to be very unhappy on the third of February," said Professor Merrick Furst from the Georgia Tech College of Computing. That's when the Kama Sutra computer worm will begin destroying critical files on infected computers. And hundreds of thousands of machines may have the worm lurking within their Windows operating system, ready to be unleashed on February 3 and the third of every month thereafter. Experts say Windows Office documents, Word documents, Excel spread sheets, and PDFs (portable document format) are among the files that will be "overwritten." That means the data will be changed and corrupted, and the original information will no longer be accessible. While files that have simply been deleted can sometimes be recovered; overwritten files are usually lost for good. This malicious software entices computer users with promises of sexy pictures, with e-mail subject lines ranging from "School girl fantasies gone bad" to "Hot Movie" to "Crazy illegal Sex!" and "Kama Sutra pics." (Watch how the worm seduces PC users -- 1:36) This worm is described as "old fashioned" in several ways. First, it relies on the oldest trick in the book, a computer user's desire to see nasty pictures, to get them to take an action. "With the Kama Sutra worm, this is a traditional style worm, meaning that it takes user interaction in order to become infected; someone has to double click on a file attachment, and then it does some type of malicious behavior, such as, in this case destroying a folder or a file," said Alain Sergile, a security expert at Internet Security Systems (ISS) in Atlanta. Because the worm's destructive payload is delayed until the third of the month, many users may have infected their machines, but because neither dirty pictures nor computer problems resulted, simply forgotten that they ever clicked on the attachment. The worm, which also goes by the names Blackworm, Blackmal, and Nyxem, has been spreading since January 16. It is capable of infecting Windows XP, Windows 2000, Windows 98 and Windows ME operating systems. "This is a really damaging worm. This is not one of those worms that is interested in having access to your machine for purposes later on. This worm will really damage your machine," Georgia Tech's Furst said. Furst says the worm has spread to a lot of military addresses on the Internet (.mil), but mostly to ISPs (Internet Service Providers), meaning most of those infected are probably home users. The computer security company LURHQ reports more than 600,000 machines around the world have been infected. With a little time before the third of the month trigger, most Windows users still have the ability to cleanse their computer of Kama Sutra before any information is destroyed. Some antivirus software can eliminate the virus. Users should make sure their antivirus and antispyware software is up to date and to scan their computers for malicious programs that may have been surreptitiously installed on their machines. However, not all antivirus programs are effective. Problems running antivirus software may be one sign your computer has been infected. Joe Stewart of LURHQ says like many recent worms, Kama Sutra attempts to disable antivirus software when it is attacking a machine. And even for home computer users who have never taken such precautions before, security experts say now would be a good time to back up your most important data, like financial information and family photographs, to CDs, DVDs, zip drives, or an external hard drive that you know is worm and virus free. Unlike a lot of malware that exploits vulnerabilities in the Windows operating system, there is no "patch" that can be downloaded to ward off Kama Sutra. "This is something that is not inherent in the operating system," Sergile said. "Unfortunately, there is no way to patch user ignorance, and the way this virus propagates is through user ignorance," he said. Sergile also says home users need to be aggressive about questioning e-mail messages and attachments, even if it appears they are coming from colleagues, friends, or relatives. Many e-mail viruses spread by forwarding themselves to everyone in a user's e-mail address book. "So while you might think it is coming from cousin Alice, most likely cousin Alice is not going to send you something that says 'Hey look at these pictures with naked people.' So that should be your first clue that a virus is propagating and you'd be well served to call cousin Alice to let her know that she is [unknowingly] sending out this type of e-mail," Sergile said.