A virus that is scheduled to begin deleting files from infected Windows computers today is unlikely to result in widespread damage, security vendors have said – although some businesses have reported being affected.
Four days before toll is known
F-Secure has been in contact with one large US company that had "tens of thousands of infected computers", according to Mikko Hyppönen, F-Secure's chief research officer.
The company – which Hyppönen declined to identify, although he said it was not an F-Secure customer – had been working to cleanse the machines. It may keep its computers switched off today as a precaution until it can be sure they are virus-free.
There had been no reports early today of data being wiped out, although antivirus vendors said it may take a few days for problems to emerge, especially for consumers, who are less likely to notice damage right away. The virus has several names, including Blackdoom, Nyxem, Kama Sutra and Mywife. It was detected in mid-January.
Antivirus vendors have been updating their software to protect and cleanse machines of the destructive code, said David Emm, senior technology consultant at Kaspersky. The malware contains code that will overwrite most files on a computer on the third day of each month, replacing them with error messages.
Computers become infected if a user opens a PIF (Program Information File) attachment contained in an email. In addition to dropping the destructive code on a computer, the worm harvests email addresses and sends itself out again. The emails often uses the promise of pornography to lure users into opening the attachment, a relatively dated method.
Up to 300,000 machines may be infected worldwide, with concentrations in India, Turkey, Mexico, Peru and Australia, according to antivirus vendors. The spread of email worms is fairly random, Hyppönen said.
Those countries may be affected the most because the worm happened to find computers with large lists of email addresses in those countries to mail itself out to, Hyppönen said.
India appeared to have been infected the most as of Friday morning, with the virus emanating from around 4,000 IP addresses in that country, said Alex Shipp of MessageLabs. About 1,000 IP addresses were affected in the US, and 102 in the UK.
It may take a few days for the "sob stories" to emerge from hapless users, Shipp said.
The number of attacks against customers of SecureWorks has doubled since Tuesday, to 939, the company said. It reported the most activity in India, Australia and the US.
Machines protected by antivirus software could still be vulnerable since other malware, such as the Bagle virus, can shut off those programs, Hyppönen noted.
Publicity surrounding the worm may have made users more careful about protecting their computers. A chain of computer stores in the UK was warning users of the worm on its call-in number.
"At the moment, we are not sure of the impact of it," said Omar Qureshi, who works on the PC Service team for PC World stores. It may be three or four days before reports of problems trickle in, he said.