WARNING and RECOMMENDATION re: Kama Sutra Worm

  • Thread starter Thread starter Jim Byrd
  • Start date Start date
J

Jim Byrd

There is currently in the wild a particularly destructive worm called by
variety of names but most commonly know as the "Kama Sutra" worm which has a
payload scheduled to be activated tomorrow, Feb 3rd.

The following is courtesy of a special edition of the www.spywareinfo.com
newsletter. See following this for some additional recommendations:

<Newsletter Extract>
Special Edition

The Kama Sutra worm, which has numerous aliases, is set to deliver its first
destructive payload TOMORROW (February 3). This worm is believed to have
infected anywhere from 200,000 to 700,000 computers worldwide.

The worm is programmed to destroy numerous antivirus program files and
Microsoft Office document files, thirty minutes after an infected machine is
powered up, on the third day of each month.

Microsoft has included detection for this worm in its Malicious Software
Removal Tool. However, Microsoft is withholding that update from all but
paying members of their "Windows Live Safety" and "OneCare" beta services.
Microsoft refuses to release the update to the general public, before their
regularly scheduled general update, on February 14th. I will have plenty to
say about that in tomorrow's newsletter, believe me.

Whether you believe that you are infected or not, you should take
precautionary steps now, just in case. Any documents created by Microsoft
Office as well as .rar and .zip archives should be backed up and stored on
separate, removable storage, such as a CD or DVD. Files and documents of
this type will be corrupted beyond repair on infected machines.

Symantec has released a free tool that will remove the virus. Download the
tool and run it, even if you are certain that you are not infected. It is a
very small file and you have nothing to lose by running it. You don't want
to be wrong and lose your boss's spreadsheets, now do you?
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

If you already have an antivirus program, make certain it is updated and run
a full scan of your computer.
</Newsletter Extract>



I would recommend that you run this Removal Tool from a "Clean Boot". Below
are directions for this from my Blog, Defending Your Machine, addy below in
my Signature. (Note that this tool may take quite a long time to run, and
that it should be rerun immediately BEFORE the third day of each month in
the future using a new, fresh download of the Removal Tool each time.):


<Blog Extract>
#########IMPORTANT#########

Show hidden files and run all of the following removal tools from Safe mode
or a "Clean Boot" when possible, logged on as an Administrator. BEFORE
running these tools, be sure to clear all Temp files and your Temporary
Internet Files (TIF) (including offline content.) Reboot and test if the
malware is fixed after using each tool.

HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339

Clean Boot - General Win2k/XP procedure, but see below for links for other
OS's (This for Win2k w/msconfig - you can obtain msconfig for Win2k here:
http://www.3feetunder.com/files/win2K_msconfig_setup.exe ):

1. StartRun enter msconfig.

2. On the General tab, click Selective Startup, and then clear the 'Process
System.ini File', 'Process Win.ini File', and 'Load Startup Items' check
boxes. Leave the 'boot.ini' boxes however they are currently set.

3. In the Services tab, check the "Hide All Microsoft Services" checkbox,
and then click the "Disable All" button. If you use a third party firewall
then re-check (enable) it. For example, if you use Zone Alarm, re-check the
True Vector Internet Monitor service (and you may also want to re-check
(enable) the zlclient on the Startup tab.) Equivalent services exist for
other third party firewalls. An alternative to this for XP users is to
enable at this time the XP native firewall (Internet Connection Firewall -
ICF). Be sure to turn it back off when you re-enable your non-MS services
and Startup tab programs and restore your normal msconfig configuration
after cleaning your machine.

4. Click OK and then reboot.

For additional information about how to clean boot your operating system,
click the following article links to view the articles in the Microsoft
Knowledge Base:

310353 How to Perform a Clean Boot in Windows XP
http://support.microsoft.com/kb/310353
281770 How to Perform Clean-Boot Troubleshooting for Windows 2000
http://support.microsoft.com/kb/281770/EN-US/
267288 How to Perform a Clean Boot in Windows Millennium Edition
http://support.microsoft.com/kb/267288/EN-US/
192926 How to Perform Clean-Boot Troubleshooting for Windows 98
http://support.microsoft.com/kb/192926/EN-US/
243039 How to Perform a Clean Boot in Windows 95
http://support.microsoft.com/kb/243039/EN-US/
#########IMPORTANT#########
</Blog Extract>
 
Thank you Jim for the heads up

Engel

Jim Byrd said:
There is currently in the wild a particularly destructive worm called by
variety of names but most commonly know as the "Kama Sutra" worm which has a
payload scheduled to be activated tomorrow, Feb 3rd.

The following is courtesy of a special edition of the www.spywareinfo.com
newsletter. See following this for some additional recommendations:

<Newsletter Extract>
Special Edition

The Kama Sutra worm, which has numerous aliases, is set to deliver its first
destructive payload TOMORROW (February 3). This worm is believed to have
infected anywhere from 200,000 to 700,000 computers worldwide.

The worm is programmed to destroy numerous antivirus program files and
Microsoft Office document files, thirty minutes after an infected machine is
powered up, on the third day of each month.

Microsoft has included detection for this worm in its Malicious Software
Removal Tool. However, Microsoft is withholding that update from all but
paying members of their "Windows Live Safety" and "OneCare" beta services.
Microsoft refuses to release the update to the general public, before their
regularly scheduled general update, on February 14th. I will have plenty to
say about that in tomorrow's newsletter, believe me.

Whether you believe that you are infected or not, you should take
precautionary steps now, just in case. Any documents created by Microsoft
Office as well as .rar and .zip archives should be backed up and stored on
separate, removable storage, such as a CD or DVD. Files and documents of
this type will be corrupted beyond repair on infected machines.

Symantec has released a free tool that will remove the virus. Download the
tool and run it, even if you are certain that you are not infected. It is a
very small file and you have nothing to lose by running it. You don't want
to be wrong and lose your boss's spreadsheets, now do you?
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

If you already have an antivirus program, make certain it is updated and run
a full scan of your computer.
</Newsletter Extract>



I would recommend that you run this Removal Tool from a "Clean Boot". Below
are directions for this from my Blog, Defending Your Machine, addy below in
my Signature. (Note that this tool may take quite a long time to run, and
that it should be rerun immediately BEFORE the third day of each month in
the future using a new, fresh download of the Removal Tool each time.):


<Blog Extract>
#########IMPORTANT#########

Show hidden files and run all of the following removal tools from Safe mode
or a "Clean Boot" when possible, logged on as an Administrator. BEFORE
running these tools, be sure to clear all Temp files and your Temporary
Internet Files (TIF) (including offline content.) Reboot and test if the
malware is fixed after using each tool.

HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339

Clean Boot - General Win2k/XP procedure, but see below for links for other
OS's (This for Win2k w/msconfig - you can obtain msconfig for Win2k here:
http://www.3feetunder.com/files/win2K_msconfig_setup.exe ):

1. StartRun enter msconfig.

2. On the General tab, click Selective Startup, and then clear the 'Process
System.ini File', 'Process Win.ini File', and 'Load Startup Items' check
boxes. Leave the 'boot.ini' boxes however they are currently set.

3. In the Services tab, check the "Hide All Microsoft Services" checkbox,
and then click the "Disable All" button. If you use a third party firewall
then re-check (enable) it. For example, if you use Zone Alarm, re-check the
True Vector Internet Monitor service (and you may also want to re-check
(enable) the zlclient on the Startup tab.) Equivalent services exist for
other third party firewalls. An alternative to this for XP users is to
enable at this time the XP native firewall (Internet Connection Firewall -
ICF). Be sure to turn it back off when you re-enable your non-MS services
and Startup tab programs and restore your normal msconfig configuration
after cleaning your machine.

4. Click OK and then reboot.

For additional information about how to clean boot your operating system,
click the following article links to view the articles in the Microsoft
Knowledge Base:

310353 How to Perform a Clean Boot in Windows XP
http://support.microsoft.com/kb/310353
281770 How to Perform Clean-Boot Troubleshooting for Windows 2000
http://support.microsoft.com/kb/281770/EN-US/
267288 How to Perform a Clean Boot in Windows Millennium Edition
http://support.microsoft.com/kb/267288/EN-US/
192926 How to Perform Clean-Boot Troubleshooting for Windows 98
http://support.microsoft.com/kb/192926/EN-US/
243039 How to Perform a Clean Boot in Windows 95
http://support.microsoft.com/kb/243039/EN-US/
#########IMPORTANT#########
</Blog Extract>
Click to expand...
 
YW, Sir - Hope it's useful to folks. While not as widespread as some we've
seen, this one has some pretty nasty effects and really needs to have some
attention paid to it.
 
Jim, I'm having some difficulty believing that this information is correct.

1) Windows OneCare (currently in free public beta) has covered this virus in
its definitions for some time now--at least a week, I believe.

2) We have been told by Microsoft spokespersons that the public anti-malware
site:

http://safety.live.com/site/en-US/default.htm

will always have Microsofts most recent definitions available. They should
be as new or newer than those available in OneCare.

If you go to the above site, you will see that the virus you are writing
about, which Microsoft is using the name Win32/Mywife.e@mm for--is listed as
the top threat.

I firmly believe that this is covered by the definitions and scanner
available at the above link.

--
 
Bill Sanderson wrote :
If you go to the above site, you will see that the virus you are writing
about, which Microsoft is using the name Win32/Mywife.e@mm for--is listed as
the top threat.
Click to expand...

Hi

MS naming definitions is a "horror", My Wife ;)

The correct name must be as F-Secure explains it "Nyxem".

It comes from the Nyxem family !

http://www.f-secure.com/weblog/

And for sure a lot of users will blow their PCs tonight/tomorrow.


My Wife............ ;) One Care is insane.........


regards
plun
 
You're probably right, Bill - I've no independent knowledge on the OneCare
stuff. However, I did check out the MSRT allegation and, as stated, it's
not listed among those covered in the downloadable version here:
http://www.microsoft.com/security/malwareremove/families.mspx (direct dl
here: http://go.microsoft.com/fwlink/?LinkId=40587) as of a recheck one
minute ago, nor am I aware of any earlier planned release of the MSRT than
the regular second Tuesday, and the MSRT is the one that I suspect affects
the most people.
 
I don't think Microsoft invented this nomenclature--the best one for me is
CME-24. I believe there is a previous Mywife virus or email worm of some
sort, and I had assumed this was related in some way--will dig a bit more.

Only users without current antivirus protection from nearly any vendor are
at risk. I don't disagree--thousands will be affected, and you can see a
map of where they are:

http://www.f-secure.com/weblog/archives/archive-022006.html#00000800


Turkey, India, and Peru have been mentioned as at-risk locales, although the
above map apparently does not match that list.

Statements are being made on the basis of small samples, however. Remember
the statement yesterday that some reports were coming in of early damage
from machines with the clock set wrong? I've heard that the "some" was, in
fact, two.
--
 
Jim,

We've been watching this for awhile. There are a few names for this critter
and MSFT is using the CME24 convention.
I will take the best prescriptive guidance I have from MSFT, keep my shields
up: AV is updated, Firewall is on, SP2 installed and latest patches in
place.

Ron Chamberlin
MS-MVP
 
I generally agree, Ron - However, I suggest that having users run the
Removal Tool each time on the day before the worm's activation date(s) is a
very useful prophylactic measure, particularly for naive users.
 
Hi Bill

Well I believe this naming "convention" is better:

"This worm family has been around since March 2004. The worm is named
"Nyxem" because the original Nyxem.A variant launched a DDoS attack
against the New York Mercantile Exchange website (www.nymex.com). We
don't know why."

"New York Mercantile Exchange" > Nymex, Aha ! > My Wife ;) again.

And US and those small conuntrys has always been mentiond for
most spread countrys.

Nevertheless I have my files left ;)

regrads
plun



Bill Sanderson wrote on 2006-02-03 :
 
Hi

I follow guidance from 3rd parties........ !

Thrust MS ? I cannot understand why they leaves
a black hole open in the firewall for One Care.

Does MS believe that "the bad guys" are stupid ? Or that all
users are stupid ?

http://news.com.com/Microsofts+OneCare+firewall+draws+fire/2100-1029_3-6033589.html?tag=cd.top

"Calling Mum" traffic is more important then security !

So if you are a One Care user stand up and fight for a real firewall.

Not a "lamers" "I don´t know" application.

regards
plun


Ron Chamberlin presented the following explanation :
Jim,

We've been watching this for awhile. There are a few names for this critter
and MSFT is using the CME24 convention.
I will take the best prescriptive guidance I have from MSFT, keep my shields
up: AV is updated, Firewall is on, SP2 installed and latest patches in place.

Ron Chamberlin
MS-MVP
Click to expand...
 
That naming convention certainly sounds better, but I don't know the
derivation of the name Microsoft has chosen.

Hmm--has my machine been on for half an hour? I think so.....have I
actually looked at any of the affected filetypes--not yet.

Got to get into the office yet and see what awaits. Not worried!

--
 
I think that I'm with Roger Grimes on this one. However, this doesn't worry
me too much. I had been under the impression that the applications allowed
the pass out were, in fact "known good" in some much more specific way than
simply having a valid digital signature.

I can't say that this bothers me much, though. I think I want to see
specific examples of keyloggers that are signed, for example, and understand
the interactions that would be needed with OneCare, and Windows Defender,
for such a critter to get into place and send data out.

--
 
Hi Bill

Nope this is about "Calling Home/Mum" .

Every open "backdoor" will be used. MS must learn to
close all of these.

Then change firewall messages for newbies, "Dear Customer, Word 12 must
make a connection to Microsoft Redmond, will you open your
firewall ? "Yes or No"" Simple !

I can only see a big "$-grin" when I see
how MS manipulate users and make "holes" on purpose in every
application.

Malware will be detected with One Care.........

Directly, next day, next week ?

Happy surfing.

;)

regards
plun

Bill Sanderson wrote :
 
Back
Top