Microsoft Warns of File-Trashing Worm

Microsoft has published a security advisory warning Windows users of a file-trashing worm that has been circulating via e-mail for several weeks. The worm, which is programmed to destroy a wide variety of files on the third day of every month, has been circulating since mid-January, and is estimated to have infected between 250,000 and 300,000 systems worldwide.

Security researchers have given the worm a variety of names. Microsoft calls it Win32/Mywife.E@mm, but it is also known as Nyxem, Blackdoom, W32.Blackmal.E@mm, Tearec, and Kama Sutra. And while there have been reports that the malicious software has infected millions of computers, Microsoft believes that the attack is "much more limited and is not in the range of millions at this time," according to the Microsoft security advisory, released Monday.

In fact, several security researchers believe that the Nyxem threat has been overstated. "There's been way more attention given it in the media than it deserves," said Russ Cooper, a senior information security analyst at Cybertrust in Herndon, Virginia. The dramatic nature of this worm's behavior, with its file-destroying instructions, and inflated reports of infections have helped fuel media interest, he said.

Watch Out for Feb. 3 If Infected

Between 250,000 and 300,000 PCs have been infected, estimates Johannes Ullrich, chief research officer for the SANS Institute. However, that number represents a very small number of total Internet users, Cooper said. "How many people do you think had their hard disks fail yesterday?" he asked. "Probably a number as significant as one eighth of 1 percent.... It had nothing to do with a worm or a virus. I'm not saying [300,000] is not large number, but it's not like it is everybody in the city of Columbus, Ohio."

For those who are infected, however, Friday, February 3, will be a long day. On that day the worm will overwrite a wide range of files, including Word documents, Excel spreadsheets, PowerPoint presentations, and .pdf files, replacing their contents with the phrase: "DATA Error [47 0F 94 93 F4 K5]," Microsoft said.

Microsoft's advisory tells customers to use up-to-date antivirus software, most of which can detect the Nyxem infection, and to use caution before opening unknown e-mail attachments.

How It Works

For a PC to become infected by Nyxem , a user must first click on a PIF (Program Information File) file attached to an e-mail, which is typically blocked by corporate antivirus software, according to Cooper. "If you're letting it through and you're a company, then you probably don't have antivirus. So you've already got a problem." PIFs are data files used to help programs written for Microsoft's pre-Windows DOS run in a Windows environment.

Nyxem does not rely on a Windows vulnerability, but instead uses "social engineering" techniques to spread, tricking users to click on files that promise racy content like "Miss Lebanon 2006" or "School girl fantasies gone bad," according to security researchers.

Ullrich agreed that the majority of users do not need to worry about Nyxem. "The story here is if you are hit, you do have other vulnerabilities than this problem," he said.