Computer Worm Set to Destroy Files

Feb. 2, 2006 — -- No matter how tempting the subject line, don't open any suggestive e-mails if you want to keep your computer files intact.

It's also time to update your anti-virus software in anticipation of a computer worm, set to be unleashed at midnight, that destroys the most-common file types -- those ending in ".doc," ".pdf," and ".zip."

The worm, known as Kama Sutra, CME-24, BlackWorm, Mywife.E or by a number of other monikers, even tries to disable anti-virus software that is out of date, he said.

The virus tricks you by appearing as an e-mail attachment with subject lines like "Hot Movie," "Give me a kiss" and "Miss Lebanon 2006."

Some variations refer to the ancient Kama Sutra guide of elaborate sexual positions to attract attention and convince you to open it.

"It claims to be a movie or picture with some sort of sexual content," said Johannes Ullrich, chief research officer at the nonprofit SANS Institute research group. "That is how it tricks you."

The virus causes a keyboard and mouse to freeze and then disables anti-virus programs when the computer is restarted, leaving a machine vulnerable, said Ken Dunham, rapid response director at VeriSign Corp.'s security unit iDefense.

The good news is, computers in the United States are not believed to be heavily affected, with the majority of infections believed to be in hundreds of thousands of machines mostly in India, Peru, Turkey and Italy, said Mikko Hypponen, chief research officer for Finnish security company F-Secure Corp.

A task force of security firms monitoring the worm estimates that about 15,000 machines in the United States are infected, said Dmitri Alperovitch, principal research engineer with CipherTrust Research. Because the worm contacts an Internet service provider, the firms can track it.

Computer users should make sure their software is turned on and has the latest definitions, generally available for free from the software vendor's Web site. F-Secure has also created a free removal tool.

"If you are infected, and you find out about it today, you still have time to get rid of the virus," Hypponen said.

Mark Loveless, senior security researcher with Vernier Networks, said the worm is similar to many others except that it actually destroys files instead of just disabling them. "As long as everyone has anti-virus software and has it up to date, they should be OK," he said.

Alperovitch said that unlike most worms unleashed in the past five years that are designed to "phish" for personal information or send spam, BlackWorm is "kind of a throwback to old times" when worms carried destructive capabilities.

"This is a very surprising turn of events," Alperovitch said, though he noted that the current worm is a variant of one first launched in March 2004.

Microsoft Corp. issued an advisory Tuesday warning customers about the worm, which affects most versions of its Windows operating system.

In addition to having the latest anti-virus software, users should be safe if their computers are set with limited privileges, a common setting in larger organizations. They are vulnerable if they, like many small-business and home users, leave their computers set with full administrative rights.

And users should check the date on the computer. The worm hits the third of every month, so if the computer's local calendar settings are off, Hypponen said, files may be destroyed sooner or later, even if the computer is never turned on Friday.

ABC News' Adrienne Mand Lewin, The Associated Press and Reuters contributed to this report.