Known as BlackWorm, the malcode has been spreading via email since the weekend. It generally arrives as a .pif or .scr attachment, masquerading as a porno picture.
Once installed, it waits until the 3rd of the month, then attempts to delete files that have extensions including .doc, .xls, .ppt, .pdf, .rar and .zip — basically, the formats in which most Windows users have their most important data.
Antivirus companies have been able to track the spread of the worm because BlackWorm, once installed, attempts to connect to a counter at a publicly accessible web site. At the time of writing, the counter had clocked up over 700,000 hits.
According to the SANS Institute’s Internet Storm Center, one way to discover whether a machine on your network has been infected is to check if any machine has connected to any URL at webstats.web.rcn.net without a referrer field in the HTTP header.
The worm is also known as Kama Sutra. All the major antivirus software vendors already offer signatures for this malcode.
