Jan. 31, 2006
Got a PC question? Visit www.PCAnswer.com.
An Internet worm that's been circulating for a couple of weeks is set to destroy files on infected personal computers this Friday, Feb 3. Security company Symantec has dubbed it "W32.Blackmal.E@mm," but other security companies have given it different names including "Nyxem," "blackworm," "Grew.A," "My Wife" and "Kama Sutra." Whatever it's called, it has already infected 300,000 systems, according to the Sans Institute but, by PC worm standards, it's still considered a relatively low threat.
The worm is spread by e-mail. It tries to harvest e-mail addresses from infected machines so it may appear to come from someone you know. Unlike many past worms, it is not limited to Microsoft Outlook or Outlook Express — all Windows users are vulnerable but it affects only Windows — not Macintosh, Linux or other operating systems.
It watches your PC's clock and is set to delete files from infected machines on Feb. 3.
Unlike many of the threats we've heard about lately, there doesn't appear to be any financial motivation. TrendMicro spokesperson David Perry calls it "an old fashioned destructive virus. It doesn't have any profit motive." Symantec's Vincent Weafer says it reminds him of the "earlier days of cyber vandalism versus crime."
It's not spyware, it doesn't send out spam, but it can delete document files such as those created by Word, Excel and other applications as well as MP3 music files. The worm will also try to disable your anti-virus software and, once your machine is infected, it harvests e-mail address from your PC and tries to infect people you know.
The worm is attached to an e-mail that can have a variety of subject lines or messages. Subject lines could include "Hot Movie," "Arab sex," "give me a kiss" or "Fwd: Crazy illegal Sex!" but others are also possible.
The good news is that major anti-virus software can detect and remove the worm but only if the software is up-to-date. If you haven't already done so, use your software's update feature to make sure you have the latest anti-virus "signatures."
Because infections, so far, have been measured in the hundreds of thousands rather than millions, Weafer calls it a "low to medium risk."
He says people with out-dated anti-virus definitions (or no anti-virus software) are at a higher risk. In addition to spreading through e-mail, Weafer says that it can also propagate via a local area network. Symantec has a Web page with a technical description of the worm.
In addition to running anti-virus software, it's also a very good idea to have a backup of your data files. Be sure, however, that your files are backed up to a drive that's not connected to your PC, such as a removable hard drive (that's unplugged), a CD or a DVD.
As always be very careful before clicking on attached files, even if they are from someone you know. If someone does send you a file, contact them to make sure it was deliberate.
If you don't have up-to-date anti-virus software, you can use one of the free virus scanning services such as TrendMicro's Housecall.
Anti-virus companies are being uncharacteristically careful not to exaggerate the risk. "I hesitate to go out on a limb on a virus like this," said TrendMicro's David Perry. "I don't know if there will be damage on Friday."
If Friday does come and go without substantial damage, we'll never know for sure whether it's because the worm had no bite or because we were all prepared. Either way, that would be good news.