Oh lala! Kamasutra!

Posted on Mon, 02/06/2006 - 23:11

I was a little scared and concern about this virus for my company (no problem for my home since we're using Linux). I read a lot and researched about this to avoid any surprises, and let me share it to you what I learned.

This worm is also known by names such as Nyxem, BlackMal, Mywife, and CME-24. It was last January 21, the first time I read about this, and I found that the trigger date of this virus is every 3rd of the month. That means the first trigger date was last February 3. Let me repeat, the trigger date is every 3rd of the month.  So, if you're infected or infected in the future, you are not safe, yet even February 3 was over, as every 3rd of the month is the trigger date.

So what this virus does? Kama Sutra is far more dangerous and tricky than most people think, especially in the corporate world. I'm sure most companies back up their data regularly, especially the network shared folders. As a SysAdmin, you might think, as long as you're backing up your company files regularly, there should be no problem in case your company is infected. But you know what, the tricky part of this virus is, it doesn't delete the file (all DOC, XLS, PPT, ZIP, RAR, PDF and MDB files) - all the essential corporate files, huh? - SysAdmin may think that regular backup may save his ass, but Kamasutra doesn't delete the files; instead, Kama Sutra overwrites those files!

So, if you have a backup, especially in our case here Qatar that Friday is a non-working day, that runs automatically; your healthy last backup will be overwritten with the new infected files, and if you are not aware of this, you may end up backing up the infected files in your backup cycles. Therefore as a SysAdmin, you should consider this scenario from now on, before taking your next backup. Of course, if you got a long rotation of backup tapes, it will allow you to still recover the last healthy backup from the old tapes, in case you realized it in the later stage. But I believed this awareness is critical in this early stage not only for 3rd February trigger date but also for the next 3rd of the months' trigger dates. By the way, Kamasutra triggers the payload of overwriting your files 30 minutes after you start your Windows machine on every 3rd of the month.

I'm not aware of any significant reports of infection in the corporate world – only some news report said that in India around 80,000 systems were hit. I hope everyone does their job of updating all the virus pattern of all their computer users since Kama Sutra was one of the best-publicized virus before the trigger date. Or possibly, some company hide it or they are not aware yet that they were infected! As I told you, the virus will not delete the file; it will only overwrite it and make it unusable.

Happy hunting!