New worm threat set to spread this week

A new e-mail threat has emerged, with a trigger date set for this week. Sporting various names, the worm traps unsuspecting users with the promise of explicit images. Meanwhile, allegations have surfaced that a recent Windows vulnerability may have been premeditated. John McCormick has the details in this edition of the IT Locksmith.

A new e-mail worm may be on the loose, with a trigger set for this week, and promises of illicit images could make it a dangerous threat for some users. Meanwhile, a security research company has alleged that a Windows vulnerability may have been intentional.


A couple of very strange security items crossed my desk over the past week, and I think we can only wait for the next shoe to drop. However, I do think readers need to know about them.

First, a story on, which also popped up in a few other locations, warns about a major Windows security worm threat that has various names, including BlackWorm, Blackmal, Nyxem, and MyWife. Symantec has dubbed it Blackmal, and the latest iteration is Blackmal.e, discovered on January 17. has labeled it the Kama Sutra worm, as it promises explicit images to users unsavvy enough to open the e-mail attachment.

Although Symantec and most other antivirus vendors have rated this a low-level threat, it is widespread and has potential. If a user triggers it on an unprotected system, it can delete user files as well as kill security tools by removing them from the Windows registry.

I just don't know how dangerous this new threat is. However, I suspect it won't amount to much because it's already in the virus signature databases of most antivirus programs.

Regardless, I suggest bookmarking the Symantec Removal Tool just in case, and make sure you've updated your antivirus signature file. Here's the view from the SecuriTeam Blog, which placed the number of infected systems at more than 700,000 almost a week ago.

In addition, you can check out the Web page the SANS Internet Storm Center has devoted to BlackWorm. This resource lists the file types the virus will overwrite with an error message ( 'DATA Error [47 0F 94 93 F4 K5]'), including .doc, .xls, .mde, .mdb, .ppt, .pdf, .zip, and more.

The trigger date for this worm is February 3. Since it spreads via an e-mail that offers explicit pictures, based on past experience, you can probably estimate based how many people on your network are desperately trying to download it to your system even as you read this warning.

The second really strange story to emerge in the past week was a claim by Gibson Research that someone may have deliberately planted a Microsoft Windows Metafile (rootkit) vulnerability, perhaps to help U.S. national security groups spy on the content of every Microsoft-based computer.

Steve Gibson's podcast, which features a transcript, is available on the company's Web site. It discusses what he says is a backdoor he discovered in recent Microsoft Windows operating systems, but it doesn't actually cast any detailed blame for the threat. Specifically, there's a hidden function call in Microsoft code, which could allow an attacker to run code on any system with this operating system installed.

As any developer knows, this sort of thing could simply be a bit of a leftover development code tool that accidentally made its way into the production version. However, it could also be something more sinister.

Asked in the podcast if this could be an error, Gibson replied, "I don't see how it could have been a mistake. Again, I'm going to continue to look at it. But from what I've seen now, this had to be deliberate."

Another resource, theunofficialmicrosoftweblog, has posted an entry on this latest conspiracy theory as well. At this point, your guess is as good as mine. Is this a bit of self-promoting sensationalism by Steve Gibson? Or, is it real and—even worse—intentional? I only bring it up here because, if it is real, then it's a really big deal.

Meanwhile, the BBC has reported that Microsoft is facing a 2 million euro per day fine for failing to disclose server code. And the latest accusations about an intentional backdoor will do nothing to reduce EU fervor to see just what Microsoft might be hiding.

As one would expect, Microsoft has appealed the ruling, and a hearing will take place in April. The Redmond software giant—as well as Microsoft users—has very legitimate reasons for not wanting to see Windows code spread around the world, which could happen if some official lets the code out either intentionally or by error.

Can you say "between a rock and a hard place"? Fortunately for Bill Gates, even more than $2 million per day isn't going to put the company out of business—or even eat seriously into investment income from the tens of billions of dollars in Microsoft coffers.

Final word

As February approaches once again, the term deja vu takes on a whole new meaning for this intrepid reporter. You see, I will actually be making the usually cold and dreary trek to Gobbler's Knob this week. Yep, you got it: I live near Punxsutawney, PA—the home of Groundhog Day! Fortunately, probably thanks to global warming, this year it shouldn't be during the usual blizzard.

In fact, I know Punxsutawney Phil personally—he lives by the children's section of the public library—as well as several local dignitaries, including "Snake" (the mayor who also happens to deliver feed grain to my fine herd of donkeys.) If you're interested in this incredible piece of Americana, check out the my Groundhog Day Web site to learn the legend and lore behind this momentous day. So, with a nod to Bill Murray, I've been pretty sloppy this week since I can always do it over!

Also watch for…

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

Editor's Picks

Free Newsletters, In your Inbox