We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Microsoft warns of file-trashing worm

Due to hit the day after tomorrow

In a security advisory Microsoft has alerted Windows users to the existence of a worm that has been circulating via email for several weeks and is programmed to destroy a wide variety of files on the third day of every month. It has been circulating since mid-January, and is estimated to have infected between 250,000 and 300,000 systems worldwide.

Security researchers have given the worm a variety of names. Microsoft calls it Win32/Mywife.E@mm, but it is also known as Nyxem, Blackdoom, W32.Blackmal.E@mm, Tearec and Kama Sutra. And while there have been reports that the malicious software has infected millions of computers, Microsoft believes the attack is "much more limited and not in the range of millions at this time", according to the Microsoft security advisory released yesterday.

In fact, several security researchers believe that the Nyxem threat has been overstated. "There's been way more attention given it in the media than it deserves," said Russ Cooper, senior information security analyst at Cybertrust. The dramatic nature of this worm's behaviour and inflated reports of infections have helped fuel media interest, he said.

For a PC to become infected by Nyxem, a user must first click on a PIF (Program Information File) file attached to an email, which is typically blocked by corporate antivirus software, according to Cooper. "If you're letting it through and you're a company, then you probably don't have antivirus. So you've already got a problem," he said.

PIFs are data files used to help programs written for Microsoft's pre-Windows DOS run in a Windows environment.

Nyxem does not rely on a Windows vulnerability, but instead uses 'social engineering' techniques to spread, tricking users to click on files that promise racy content such as "Miss Lebanon 2006" or "School girl fantasies gone bad", according to security researchers.

Johannes Ullrich, chief research officer at the SANS Institute, agreed that the majority of users do not need to worry about Nyxem. "The story here is if you are hit, you do have other vulnerabilities on top of this problem," he explained.

Between 250,000 and 300,000 PCs have been infected, Ullrich estimated.

That number represents a very small number of total internet users, Cooper pointed out. "How many people do you think had their hard disks fail yesterday?" he asked. "Probably a number as significant as an eighth of one percent. It had nothing to do with a worm or a virus. I'm not saying [300,000] is not large number, but it's not like it is everybody in the city of Columbus, Ohio."

For those who are infected, however, 3 February will be a long day. On that day the worm will overwrite a wide range of files, including Word documents, Excel spreadsheets, PowerPoint presentations and .pdf files, replacing their contents with the phrase 'DATA Error [47 0F 94 93 F4 K5]', Microsoft has warned.

Microsoft's advisory tells customers to use up-to-date antivirus software, most of which can detect the Nyxem infection, and to use caution before opening unknown email attachments.


IDG UK Sites

Windows 9 launch event live: Windows 9 launch live blog - find out first as the new Windows is...

IDG UK Sites

Windows 9 and the death of the OS as a must-have product

IDG UK Sites

Video trends: 4K is here โ€“ HDR video, VR and 3D audio is coming

IDG UK Sites

Best iPhone 6, iPhone 6 Plus deals: iPhone 6, iPhone 6 Plus tariffs, contracts and prices UK