By Joris Evers
Monday, February 06 2006 09:31 AM
URL: http://www.zdnetasia.com/news/security/0,39044215,39310001,00.htm

The Kama Sutra worm's anticipated bombshell ended up fizzling out, but experts are still divided on whether the brouhaha over the threat was justified.

The alarm around the worm may have helped avert a disaster for some PC users, since they were able to take action and clean up their computers, some experts say. But others fear that the predicted doomsday scenarios followed by a nonevent may cause PC users to become complacent about security alerts.

Kama Sutra, also known as MyWife, Nyxem, Blackmal and Grew and given the industry identifier CME-24, was designed to begin overwriting files on infected computers last Friday. However, the worm that spread under the guise of pornographic content has caused virtually no damage, according to antivirus makers.

"It has been a nonevent," said Vincent Weafer, senior director at Symantec Security Response. "We have been tracking our consumer tech support: Less than a handful of people worldwide have called in saying they might be infected."

One Italian city shut down its computers as a precaution after discovering an infection, according to media reports. Otherwise, the time bomb some in the security industry predicted the worm would be just fizzled.

But Kama Sutra was never going to cause mayhem on a large scale, said representatives for Symantec, McAfee and Trend Micro, the world's top three antivirus software makers. All three never raised their alert above "low" or "medium." Yet the level of public alarm generated over the worm was significant.

"It got a lot of media attention because of the name and the illicit material, but it did not get attention from the major antivirus companies," Siobhan MacDermott, a McAfee spokeswoman, said. "We kept the threat level low."

There was "some hype" fueled by some in the security industry that published high infection numbers, Symantec's Weafer said. "You have to be very balanced in your alerts. Some were throwing out crazy numbers and talking about this as if it was going to be a global attack. It was never going to be that."

Antivirus company F-Secure, for example, on Thursday displayed a map of the world on its Web site that suggested there was a large-scale infection around the globe.

The danger of hype is that PC users will become complacent about security alerts and not take any action the next time around, Weafer said. "You don't want consumers to say: 'This one was nothing, why would I care about the next one.'"

But others say the alarm over Kama Sutra was warranted.

"The reality is that there could have been hundreds of thousands of computers with overwritten files today," said Ken Dunham, the director of rapid response at iDefense. "Instead, we only have a handful of reports, and that is a hands-down victory for the collaborative effort of the security community."

At F-Secure, experts aren't convinced the Kama Sutra attack is over.

"(The) vast majority of the machines infected...are home computers. Nothing will happen on them until people get home from work and boot up their machines," Mikko Hypponen, F-Secure's chief research officer, said in a blog posting late Friday. "We'd like to think that the whole problem was avoided and everybody cleaned up their machines in time. But unfortunately, that's probably not true."

F-Secure predicts that the full scope of the problem won't come to light until the weekend or early next week.

Meanwhile, McAfee, Symantec and Trend Micro say Kama Sutra has come and gone. Still, PC users should keep their antivirus software up to date to be protected against possible variants.