Sophos: Zero damage reports from Nyxem 'February 3' virus

Oxford (UK)- Sophos Labs' senior technology consultant Graham Cluley told TG Daily this morning that the total number of incident reports called in to his company, as a result of the impact of the Nyxem/"Kama Sutra" mass mailing worm in Europe, was zero.

Cluley credits worldwide preparation for the worm, which he said is likely to have infected thousands of computers, but whose payloads may not have been triggered. He told us that government offices in Milan, Italy, were closed, acting on the belief that as many as 10,000 computers there may be infected with the virus. Simply not turning them on, it was apparently believed, may clear them of any possible damage, at least until system administrators could take measures to disinfect the systems.

Meanwhile, the first reports from the Eastern hemisphere on the impact of the Nyxem/"Kama Sutra" mass-mailing worm appear to show relatively low damage to computers in Western Europe, though moderate damage reported in India.

The worm targets Windows computers - specifically, systems left at their default installation settings, which hide filename extensions for "known file types." Exploiting such settings, the worm can masquerade as a compressed .ZIP file, but when executed, can deploy its own built-in SMTP engine to redistribute itself from the infected computer, and then attach plaintext additions to the end of common Windows document types, rendering them unusable though not destroyed.

A BBC News report early this morning cites European national security organizations as reporting few problems, while Asian authorities report almost no difficulties. But a report from the Indian PTI news service at about the same time, quotes government officials in New Delhi as reporting up to 80,000 infected systems nationwide, although the director of that country's CERT team declined to confirm that number.

Cluley told us today that he believes initial damage estimates of hundreds of thousands of computers infected worldwide, may have been artificially inflated. It is his understanding that the virus author used an internal Web site hit counter to estimate the number of systems to which the payload was delivered. He believes the address for that hit counter - which apparently used publicly-known technology - was shared among the underground community, members of whom may have actually hacked the worm author's site to inflate the hit number to extravagant levels. Boasts of those levels through underground channels may have then made their way to the technology press, where the news spread like a... like a virus to the general press.