In a security advisory Microsoft has alerted Windows users to the existence of a worm that has been circulating via email for several weeks and is programmed to destroy a wide variety of files on the third day of every month. It has been circulating since mid-January, and is estimated to have infected between 250,000 and 300,000 systems worldwide.
Security researchers have given the worm a variety of names. Microsoft calls it Win32/[email protected], but it is also known as Nyxem, Blackdoom, [email protected], Tearec and Kama Sutra. And while there have been reports that the malicious software has infected millions of computers, Microsoft believes the attack is "much more limited and not in the range of millions at this time", according to the Microsoft security advisory released yesterday.
In fact, several security researchers believe that the Nyxem threat has been overstated. "There's been way more attention given it in the media than it deserves," said Russ Cooper, senior information security analyst at Cybertrust. The dramatic nature of this worm's behaviour and inflated reports of infections have helped fuel media interest, he said.
For a PC to become infected by Nyxem, a user must first click on a PIF (Program Information File) file attached to an email, which is typically blocked by corporate antivirus software, according to Cooper. "If you're letting it through and you're a company, then you probably don't have antivirus. So you've already got a problem," he said.
PIFs are data files used to help programs written for Microsoft's pre-Windows DOS run in a Windows environment.
Nyxem does not rely on a Windows vulnerability, but instead uses 'social engineering' techniques to spread, tricking users to click on files that promise racy content such as "Miss Lebanon 2006" or "School girl fantasies gone bad", according to security researchers.
Johannes Ullrich, chief research officer at the SANS Institute, agreed that the majority of users do not need to worry about Nyxem. "The story here is if you are hit, you do have other vulnerabilities on top of this problem," he explained.
Between 250,000 and 300,000 PCs have been infected, Ullrich estimated.
That number represents a very small number of total internet users, Cooper pointed out. "How many people do you think had their hard disks fail yesterday?" he asked. "Probably a number as significant as an eighth of one percent. It had nothing to do with a worm or a virus. I'm not saying [300,000] is not large number, but it's not like it is everybody in the city of Columbus, Ohio."
For those who are infected, however, 3 February will be a long day. On that day the worm will overwrite a wide range of files, including Word documents, Excel spreadsheets, PowerPoint presentations and .pdf files, replacing their contents with the phrase 'DATA Error [47 0F 94 93 F4 K5]', Microsoft has warned.
Microsoft's advisory tells customers to use up-to-date antivirus software, most of which can detect the Nyxem infection, and to use caution before opening unknown email attachments.