Significant concentrations of the Blackworm virus remain in Peru, India and the United States — currently infecting about five percent of the world’s PCs overall — though the coordinated “disinfection” of most enterprise PCs was successful, according to new research provided to TechNewsWorld.
The research, by CiperTrust, Inc., indicates that the Blackworm virus, also known as CME-24, Nyxem.E, Kama Sutra and MyWife, is transmitted via e-mail, and once activated, will overwrite files on the third day of each month, causing a repeated problem for productivity at infected organizations.
About 30 minutes after an infected system is started, the worm overwrites files on local drives with “DATA Error [47 0F 94 93 F4 K5].” Files with the following extensions are affected: DOC; XLS; MDB; MDE; PPT; PPS; ZIP; RAR; PDF; PSD; and DMP.
Peru, India, USA
Researchers found that 32 percent of infected machines now reside in Peru, 26 percent in India and 18 percent in the United States.
“Although many machines have been disinfected, we’re certainly not out of the woods yet. Many machines may still be infected without their owner’s knowledge,” said Dmitri Alperovitch, principal research scientist for CipherTrust. “The amount of media attention regarding the destructiveness and rapid propagation of the worm are accelerating action to block and remove the virus.”
Though some have downplayed the viral outbreak, it is still “particularly significant” because 5 percent of infected machines could still potentially be severely impacted on the third of next month, said Alperovitch.
Approximately 350,000 computers had been infected with the worm. The worm’s payload still has the ability to wipe out Word files, Excel files, Adobe PDFs and PowerPoint presentations.
The malware spreads in an attachment via e-mail, using an array of pornographic images from the Hindu sex manual, quasi-religious text, passages from the Kama Sutra and other enticements. Once the attachment is opened and the worm is activated, it starts to disable an array of anti-virus and firewall technologies, and tries to harvest other e-mail addresses from the infected computer in an effort to spread itself further, according to analysts at Sophos, an anti-virus software and security firm, based in Lynfield, Mass.
The worm is still spreading, experts said. Sophos said it’s still the third most commonly encountered e-mail virus, accounting for 10 percent of all viruses being reported. That number is down from a week ago when it was accounting for 39 percent.
Some experts say the virus writer probably made a mistake by setting the countdown to two and a half weeks — giving people enough time to defend their PCs. Many businesses these days are updating their anti-virus software frequently — some on an hourly basis. The sexy and salacious subject lines got a lot of attention — and forced companies to act quickly.
Nearly 95 percent of machines infected with Blackworm — a bagle virus variant — were quickly disinfected and shut down.
That’s a very good cleanup rate, according to CipherTrust, and quite unusual. “You are much more likely to notice an infection when your data disappears,” said CipherTrust’s Dmitri Alperovitch.
The virus reached around the world, leading to reports that in Milan, Italy, IT workers shut down city government computers after discovering yesterday that they had been infected.
Experts said the worm had some technical problems that kept it from being as damaging as it might have been. The virus did not affect network drives very severely, and many companies store documents in a central repository and that allows for centralized backups and sharing of documents, experts said.