A new e-mail worm may be on the loose, with a trigger set
for this week, and promises of illicit images could make it a dangerous threat
for some users. Meanwhile, a security research company has alleged that a Windows
vulnerability may have been intentional.


A couple of very strange security items crossed my desk over
the past week, and I think we can only wait for the next shoe to drop. However,
I do think readers need to know about them.

First, a
story on eWeek.com
, which also popped up in a few other locations, warns about
a major Windows security worm threat that has various names, including BlackWorm,
Blackmal, Nyxem, and MyWife. Symantec has dubbed it Blackmal, and the latest
iteration is Blackmal.e,
discovered on January 17. News.com has labeled it the Kama Sutra worm, as it promises explicit
to users unsavvy enough to open the e-mail attachment.

Although Symantec and most other antivirus vendors have
rated this a low-level threat, it is widespread and has potential. If a user triggers it on an unprotected
, it can delete user files as well as kill security tools by removing
them from the Windows registry.

I just don’t know how dangerous this new threat is. However,
I suspect it won’t amount to much because it’s already in the virus signature
databases of most antivirus programs.

Regardless, I suggest bookmarking the Symantec
Removal Tool
just in case, and make sure you’ve updated your antivirus signature
file. Here’s the view from the SecuriTeam Blog,
which placed the number of infected systems at more than 700,000 almost a week

In addition, you can check out the Web page the SANS Internet
Storm Center has devoted to BlackWorm
. This resource lists the file types
the virus will overwrite with an error message ( ‘DATA Error [47 0F 94 93 F4
K5]’), including .doc, .xls, .mde, .mdb, .ppt, .pdf, .zip, and more.

The trigger date for this
is February 3. Since it spreads via an e-mail that offers explicit
pictures, based on past experience, you can probably estimate based how many
people on your network are desperately trying to download it to your system even
as you read this warning.

The second really strange story to emerge in the past week
was a claim by Gibson Research that someone may have deliberately planted a
Microsoft Windows Metafile (rootkit) vulnerability, perhaps to help U.S.
national security groups spy on the content of every Microsoft-based computer.

Steve Gibson’s
, which features a transcript, is available on the company’s Web
site. It discusses what he says is a backdoor he discovered in recent Microsoft
Windows operating systems, but it doesn’t actually cast any detailed blame for
the threat. Specifically, there’s a hidden function call in Microsoft code,
which could allow an attacker to run code on any system with this operating
system installed.

As any developer knows, this sort of thing could simply be a
bit of a leftover development code tool that accidentally made its way into the
production version. However, it could also be something more sinister.

Asked in the podcast if this could be an error, Gibson
replied, “I don’t see how it could have been a mistake. Again, I’m going
to continue to look at it. But from what I’ve seen now, this had to be

Another resource, theunofficialmicrosoftweblog,
has posted an entry on this latest conspiracy theory as well. At this point, your
guess is as good as mine. Is this a bit of self-promoting sensationalism by
Steve Gibson? Or, is it real and—even worse—intentional? I only bring it up
here because, if it is real, then it’s a really big deal.

Meanwhile, the BBC has reported
that Microsoft
is facing a 2 million euro per day fine for failing
to disclose server
code. And the latest accusations about an intentional backdoor will do nothing
to reduce EU fervor to see just what Microsoft might be hiding.

As one would expect, Microsoft has appealed the ruling, and
a hearing will
take place in April
. The Redmond software giant—as well as Microsoft users—has
very legitimate reasons for not wanting to see Windows code spread around the
world, which could happen if some official lets the code out either
intentionally or by error.

Can you say “between a rock and a hard place”?
Fortunately for Bill Gates, even more than $2 million per day isn’t going to
put the company out of business—or even eat seriously into investment income
from the tens of billions of dollars in Microsoft coffers.

Final word

As February approaches once again, the term deja vu takes on a whole new meaning for
this intrepid reporter. You see, I will actually be making the usually cold and
dreary trek to Gobbler’s Knob this week. Yep, you got it: I live near
Punxsutawney, PA—the home of Groundhog Day!
Fortunately, probably thanks to global warming, this year it shouldn’t be during
the usual blizzard.

In fact, I know Punxsutawney Phil personally—he lives by the
children’s section of the public library—as well as several local dignitaries,
including “Snake” (the mayor who also happens to deliver feed grain
to my fine herd of donkeys.) If you’re interested in this incredible piece of
Americana, check out the my Groundhog Day Web site
to learn the legend and lore behind this momentous day. So, with a nod to Bill
Murray, I’ve been pretty sloppy this week since I can always do it over!

Also watch for…

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter
, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.