Security experts have issued dire warnings this week over the Nyxem worm's file-destroying payload, set to detonate Friday, Feb. 3. But like other security pros, Hal Coghill, systems manager for Cornell
"I was initially concerned about this threat until I found out that the AV vendors now recognize this virus and are able to nullify it," Coghill said in an e-mail exchange. He said for organizations like his, if antivirus systems are doing their job, "then I really shouldn't be too worried, right? We'll see on Friday!"
Nobody can predict whether Friday will be a day of chaos or if Nyxem's payload will turn out to be a dud. But thanks to the advance warning, timely action from AV firms and more recent intelligence showing the worm's infection rate might be lower than first thought, more security pros are sharing Coghill's assessment that cyberspace won't implode this week.
Havoc or hyperbole?
As far as Cooper is concerned, the threat has been overblown from the start. "At first, when reports about deleted files started circulating, our thought -- and our thought now -- was that the world isn't going to come to an end," he said. "We haven't seen a massive number of people being infected with anything for some time, and there's no reason to believe there are massive infections in this case."
Cooper said the threat to enterprises is low because most are using some form of AV and have other basic security measures in place. If anyone gets hit, he said, it'll be the home users who don't pay much attention to security.
"Those getting infected are probably the types who don't have AV or a firewall to begin with," Cooper said. "Business users have the basic security and chances are they will not be impacted. They've had weeks to scan for malware and detect this. The likelihood that they'll have something dormant on their machines is extremely low. It's doubtful they are the ones on the worm's infection counter."
Early last week, security experts warned that Nyxem -- also known as Grew, Blackmal and Mywife, among others -- was tallying its infections on a Web-based counter. Some reports had the infection rate as high as a million-plus machines. But the latest estimates have taken that number down to around 300,000. Helsinki-based AV firm F-Secure Corp., one of the first to sound the alarm over Nyxem, reported in its F-Secure News from the Lab blog Tuesday that many of the machines logged on the counter have been disinfected already.
Meanwhile, most vendors say their AV signatures have been updated to detect the worm. For example, Cupertino, Calif.-based Symantec Corp. said in a statement that it has provided detection and removal for Blackmal-E since Jan. 17.
"With updated antivirus definitions, users will be protected against actions attempted by Blackmal-E," Symantec said, adding that it has rated the worm a "Category 2" threat on a scale of one to five, with five being the most severe.
Little damage in the business world
Ned Lindberg, systems engineer for Cameron, Wis.-based telecom company Chibardun Telephone Cooperative Inc., said he's been doing research on Nyxem in his spare time and has determined that the worm's infection counter should be taken with a grain of salt.
"I have seen infected machines contact the counter once, but I'm also seeing the counter get hit twice," he said. "I'm a bit curious about the variation, but it's what I'm seeing. There are probably a number of infected machines logged on the counter that have already been cleaned by AV." His research indicates the most infections are occurring in countries such as India and Peru.
Lindberg agreed with Cooper that Nyxem will probably do little damage in the business world. "On the enterprise side, this is pretty well mitigated," he said, noting that he hasn't seen many businesses infected. "This seems most directed at home users and schools, which tend to be weaker on the support side."
As for his company's preparedness, he said his users are educated and his systems are prepared. "We have good enterprise-level AV and overall we feel good about the safety of our IT assets."
Don't get too comfortable
Still, security experts are warning IT professionals not to grow complacent.
While F-Secure said many infected machines have probably been cleansed of Nyxem, it noted that damage reports are already coming in. "The destructive deadline of the Nyxem-E worm is based on the clock of the infected machine, so if you're infected and your clock is not set right, things could start to happen at any time -- even though the official activation time is the 3rd of the month," F-Secure AV Research Director Mikko Hypponen said in a blog entry. "We've already received first reports from users who've had files on their system overwritten by the worm."
He then repeated details of what the worm is programmed to do: "When Nyxem activates, it will overwrite all of your DOC/XLS/PPT/ZIP/RAR/PDF/MDB files. This is nasty, as this is done on all mounted drives, i.e. any drive that has a drive letter. So it might affect your USB thumb drives, external hard drives and network drives. Also, if you're taking daily automatic backups, you might end up backing up the corrupted files over good files."
The worm's destructive payload is set to activate on the third day each month by replacing the content of users' files with a text string 'DATA Error [47 0F 94 93 F4 K5].' Among these files are .doc, .xls, .mdb, .mde, .ppt, .pps, .zip, .rar, .pdf, .psd and .dmp.
Microsoft weighs in
Microsoft also issued an advisory this week, warning users not to take the threat lightly. However, the software giant said its Windows Malicious Software Removal Tool won't be updated until the next regularly-scheduled security update Feb. 14.
SearchSecurity.com asked Microsoft why the tool won't be updated earlier in light of the threat. A Microsoft spokesman gave the following answer by e-mail Wednesday:
"Customers who believe they are infected … or who are not sure whether they are infected, should contact their antivirus vendor," he said. "Alternatively, the Windows Live Safety Center beta Web site will scan computers and help remove Win32.Mywife [if] users select 'protection scan.'"
He added, "Microsoft updates the Windows Live Safety Center on a constant basis to help protect against recent variants of malicious software. Microsoft also updates the Windows Live Safety Center when some higher impact threats affect customers outside the monthly cycle. The signatures for those higher-impact threats are then rolled up into the regularly scheduled monthly update to the Malicious Software Removal Tool."