A new worm is said to be infecting thousands of machines every hour. Although it is described by different names , the “Kama Sutra” label looks likely to stick most strongly. Spreading via e-mail, it is programmed to do three basic things. First, it replicates itself, and attempts to spread further out from the infected machine. Second, it works to disable security and antivirus software from multiple vendors on the infected machine.
Finally, and most destructively, on the third of any given month, it destroys all files it can access with a number of default “document” extensions. This includes the major Microsoft Office document formats, Adobe PDF files, and, strangely enough, files with the .DMP extension, which is how Microsoft stores the dump of memory information when a Windows-based computer crashes. I can only assume this is intended to make chasing this virus more difficult, as it eliminates one of Microsoft’s primary troubleshooting methods.
The Kama Sutra worm, we feel, falls pretty firmly into the category of a Trojan Horse. It cloaks itself in an executable file, appearing to be something of a pornographic nature. It doesn’t exploit any particular e-mail software vulnerability in any fashion. Instead, it convinces the user that it is something they might like to see, and when executed, installs all of its nefarious functionality instead.
A more detailed examination of the worm, and its payload and methodologies can be found at F-Secure’s virus site:
As always, with a significantly expanding worm, we recommend the following major actions:
1) Make sure to update the virus scanning engines at all levels of your organization. For example, I’ve just confirmed the latest virus engines are downloaded on the mail-scanning software which runs on my Exchange systems, as well as updating the signatures for my desktop virus scanning software.
2) Take this opportunity to remind your organization about your policies and recommendations regarding attachments in e-mail from unknown sources.
3) If your environment allows executable files as e-mail attachments, consider modifying your policy and settings such that executables are stripped from inbound e-mail.
For more information, the NIST special publications we’ve been discussing lately on the podcast provide an excellent guidance document on the subject. It can be found here, in PDF form: Guidelines on Electronic Mail Security If you haven’t yet examined your e-mail environment closely for these kinds of issues, this document is a great starting point for a rigorous examination.