Peter Tippett, CTO Cybertrust
‘We don't regard it as much more than just another worm. It is destructive and that's uncommon, and it's liable to bite some folks but it's on the verge of becoming hype with the attention it's getting.
‘Some organisations and vendors are playing it up because unlike most of our problems, they can assign a number to it. It doesn't seem to matter that the number is unreliable – this is a prime example of non risk based thinking. We actually highlighted this as a low risk to our customers two weeks ago.
‘It's been out since the 17th or 18th January depending on time zone. All of the AV vendors had solutions for it more than 3 weeks in advance of the strike date.’
How the user could become infected
To infect a user the virus has to get past normal email defences and the attachment has to be selected with a double click, which will immediately infect the computer if it is a PIF or SCR file.
If it is one of the e-mails with MIME tricks, users must have WinZip or similar installed and as their first double-click won't infect them, they have to either extract the encoded file or launch it from WinZip and ignore the warning WinZip will give to try to prevent this sort of thing.
In short, users actually have to do some work to infect their systems.
Russ Cooper, Cybertrust
‘This event has only served to remind us that media hype surrounding malware is extremely disruptive and generates considerable cost for businesses and individuals as they scramble to determine the facts and actions they believe they should take. Cybertrust has continually stated that pre-existing security solutions and practices mitigated all risk from this virus.’
Further technical information:
The W32.Blackmal.E@mm e-mail worm is a destructive, mass-mailing worm that also uses shared network drives to spread. The infected attachments in the e-mails use file extensions that should be blocked by all enterprises. The worm includes AV-kill programming to eliminate the anti-virus or personal firewall defenses on the infected computer. The destructive payload executes on the 3rd day of every month and will delete files commonly used in businesses.
Global analysis:
It spreads predominantly by e-mails carrying attachments with PIF extensions. There is no legitimate reason to permit PIF files to be exchanged in e-mails today. There are some reports the worm "counts" it's infections on a web counter that exceeds one-half million. There is no reason to believe this counter is accurate, but even assuming it is, represents about 1/8 of one percent of the computers on the internet.
The worm sometimes uses MIME encoding tricks attempting to circumvent gateways and user resistance by sometimes using, ZIP, HQX, MIM, BHX, UUE, UU or B64 MIME encoding but all known gateway products are capable of decoding and protecting from this technique. The encoded file is still a PIF or SCR file which should be restricted.
SPEAK WITH THE LARGEST INFORMATION SECURITY EXPERTS ON THE KAMA SUTRA WORM – CALL REBECCA JONES AT VP ON 020 8964 0260