Slashdot Mirror
Kama Sutra Worm Could Make For A Bad Friday
mikey1134 writes "CNN is running a story about the Kama Sutra worm, a virus that is coded to overwrite files of the (potentially thousands of) infected computers. They provide some background on this viral outbreak and warn users to protect themselves" From the article: "And even for home computer users who have never taken such precautions before, security experts say now would be a good time to back up your most important data, like financial information and family photographs, to CDs, DVDs, zip drives, or an external hard drive that you know is worm and virus free. Unlike a lot of malware that exploits vulnerabilities in the Windows operating system, there is no 'patch' that can be downloaded to ward off Kama Sutra."
For references, these are the enumeration names and where to go to make sure you have the latest anti-virus signature. Remember, this variant will uninstall and delete most anti-virus software so it's important to recognize it before it goes active tomorrow. Most virus definition software refers to it as CME-24. This is important since this worm has many different names including Nyxem.E, BlackWorm, Grew and Mywife.E.
More on the worm and its permutations and statistics on spreading.
A very detailed analysis with all types of files that may be affected.
And, if it's worth anything to you, the Microsoft advisory which seems to tout that Windows Live Safety Center Beta can protect against it. If you're in charge of computer security at your workplace, I would send out an e-mail instructing everyone to verify that they have the correct anti-virus definitions and to scan their computers before leaving tonight. Luckily, that's not my job where I work.
My work here is dung.
"Unlike a lot of malware that exploits vulnerabilities in the Windows operating system, there is no 'patch' that can be downloaded to ward off Kama Sutra."
Half the articles i read yesterday about this said that the public was being screwed over becuase MS wouldn't release a patch.
The only patch for stupid is a swift boot in the ass.
This URL would seem to provide some hints about how to check whether you're infected.
d .html
It mentions some registry keys that the worm sets up.
http://www.sophos.com/virusinfo/analyses/w32nyxem
"Absorbing your worst..."
"As much as I appreciate the warning, hints on HOW to know if you're infected would have certainly helped."
As much as I appreciate your comment, hints on HOW to know if you're infected would have certainly helped.
So I don't get the same response to this comment, here's some links to Nyxem/Karma Sutra/MyWife (Whatever you wanna call it) removal:
- Symantec
- McAffee
Haydn.
Time is an illusion. Lunchtime doubly so. - Douglas Adams
Here's how to know the difference between a money-making press release, and an honest story: The press release says "Fear, fear, fear!!!"
The honest story gives you links to tools for eliminating the threat: You can run this tool: W32.Blackmal@mm Removal Tool, which apparently removes all variants of the worm.
Here are manual instructions: WORM_GREW.A, Also known as: CME-24
Here is the list of names of the CME-24 worm, and links to removal methods: CME-24 aliases, information, and removal tools.
The really sad part is that it probably wasn't even cousin Alice who sent it, it was someone else who had both you and cousin Alice in their address book.
It could be worse. Alice could be your dad.
I am not your blowing wind, I am the lightning.
This is slightly offtopic, but the plural of "virus" is "viruses". I wish it weren't, but there is no recorded instance of a Latin plural for "virus". "Virii" would be the plural of "virius", which isn't even a word. Just saying.
There are 10 kinds of people in the world: That averages about 660,000,000 of each kind.
Agreed. I've been chasing this down on our corporate network all week.
.docs, .xls, .mdb files etc were corrupt on the local machines and the file servers.
I installed this virus on a test network last night. It was ugly to say the least. The test network was comprised of 5 clients, 1 DC, and 1 file server. When I ran the email attachment on a client, it immediately froze, consistent with the description on F-Secure. Upon rebooting with monitoring on, it launched numerous processes, and disabled Symantec immediately. Within 4 hours it had infected the other 4 clients & the file server.
We then flipped the switch on the DC & set the date to 2/3/06. Update.exe launched half an hour after login, and within 4 hours all
Note that this test was performed with out-of-date virus defs as a test.
Here's an idea for those in a corporate environment. Create a software restriction policy for the executables associated with the virus:
%systemroot%\system32\scanregw.exe
%systemroot%\system32\update.exe
winzip quick pick.exe
winzip_tmp.exe
We did this in our test environment and it halted the virus completely.
They can't hide that they are apps. Windows will warn you that it's an app, and tell you not to run it. You don't need to run as an admin to run Windows. We have hundreds of computers in the department which users do not have admin access on. People run as admin because they are lazy. Besides, if your e-mail client saying "Warning, this could be a virus don't run it" and then your OS saying "Warning this oculd be a virus don't run it" isn't enough, changing the OK to a password field isn't going to do any good.
I have Mac OS X 10.4.4 om my desktop machines and Ubuntu on my IBM laptop. Life is good. :)
What I was saying was that LTO-3 stores 400G uncompressed, the tapes are less than $70 and the drives are less than $2500. Sounds like its time for you to buy a new tape setup.