Robin Arnfield, newsfactor.com
Microsoft has published a security advisory to warn Internet users
about a worm that could destroy their documents on February 3.
While other companies have identified the worm by several names --
including Kama Sutra, Blackworm, Nyxem-D, and W32.Blackmail.E -- the
Redmond, Washington-based software firm is calling the worm Mywife,
and has said that it is a variant of the Win32/Mywife.E@mm virus.
"The mass-mailing malware tries to entice users through
social-engineering efforts into opening an attached file in an e-mail
message," the Microsoft advisory states. It tries to make an intelligent
guess regards what the user is likely to be sexually tempted by, then
goes on to write an email attempting to lure the user into opening
the alleged 'pictures' of 'mywife', 'these pictures of you', etc.
"If the recipient opens the file, the malware sends itself to all the
contacts that are contained in the system's address book. The malware
may also spread over writeable network shares on systems that have
blank administrator passwords. Never open mail or operate as
'administrator'" it goes on to say.
Microsoft is warning that on the third day of each month, starting
February 3, the Mywife worm will attempt to destroy common document
files. The advisory indicates that the malware also modifies or
deletes files and registry keys associated with certain
"Unlike most viruses, which have some financial objective, such as
stealing Internet-banking passwords or using the victim's PC to send
spam, this worm is purely malicious," said David Perry, antivirus
software firm Trend Micro's global director of education. "It is as if
its creators just want people to sit up and take notice of them."
Perry said that Trend Micro's free virus-scanning service on its Web
site -- used by those who do not have the company's security tools
installed on their PCs -- had identified 26,000 computers that were
corrupted with the Mywife worm, along with 184,000 infected files.
"Other antivirus vendors are reporting hundreds of thousands of
computers infected with Mywife, and one security research firm, SANS
Institute, is even claiming the number is over two million," Perry
Perry also said that, compared to recent outbreaks, Mywife is not a
major threat. Stacey Quandt, Aberdeen Group's research director of
security solutions and services, agreed.
"Since most businesses use antivirus software and understand the risk
of clicking on a link in an e-mail, the threat that this worm poses is
minimal," Quandt said. "However, the risk is certainly higher for any
organization or consumer that does not currently use antivirus
software or is not aware of the risks of executables in an e-mail."
"Will I be infected, or will someone in my organization be infected?" asked
Russ Cooper, senior information analyst at security firm Cybertrust.
"The simple fact is that, if you are infected with this one, you were
probably infected with something else -- likely a Sober variant --
before. That's because there's nothing special about this one that we
haven't been seeing in so many worms over the past 18 months."
Cooper said a user has to double-click on a .PIF, .SCR, or .ZIP file
to get infected with the worm. "If .ZIP, then you have to further
double-click on the .PIF or .SCR it contains," he said. "Further, for
you to get infected, you have to have stopped your antivirus from
running," Cooper said. "All antivirus applications have been detecting
this since virtually the first day it was discovered." With .PIF,
.SCR, and .ZIP files, our suggestion is if you are not expecting one,
then just ditch it, zap it on the spot without further examination.
"What this variant has going for it is that it 'social engineers'
people who are tempted by porn."
Copyright 2006 NewsFactor Network, Inc.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily. And, discuss this and other topics in our forum at
Also please read more of interest in these areas: