Security threats Toolkit

Easynet sends warnings to virus victims

Tags:
Nyxem

Tom Espiner ZDNet.co.uk

Published: 30 Jan 2006 11:55 GMT

A UK Internet Service Provider (ISP) is contacting customers it believes may be infected with the Nyxem virus.

When a computer is infected by Nyxem, it visits an online Web counter that counts how many PCs have been infected. Easynet is monitoring traffic to this Web counter and sending a warning to every user that visits it, explaining that their machine could be infected.

ISPs have been attacked in the past for failing to responsibly monitor the data they pipe to home users, and for failing to share the responsibility for the ever-growing virus and spam burden that is falling on businesses and consumers.

"ISPs do the equivalent of pumping out raw sewage into your home. You wouldn't expect to have to filter your own water, so why do home users have to filter their own data?" Paul Wood, MessageLabs senior analyst, told ZDNet UK in November.

Easynet's actions may indicate that ISPs are taking this issue more seriously. Security firm F-Secure applauded the move in its blog, and encouraged other ISPs to warn their customers about such attacks.

"We think it's a good idea that ISPs warn people about viruses in general and I think it's a great idea that Easynet proactively took this step," F-Secure security expert Patrik Runald told ZDNet UK.

"Obviously with 300 or 400 viruses being detected every day ISPs can't warn their customers about all of them, but in this type of case it's a really good idea."

F-Secure encouraged other ISPs to notify any customers who are infected with Nyxem before 3 February, when the virus is due to deliver its payload.

"We thought this was an excellent idea and wanted to promote it! We encourage other ISPs to do the same as it will help users disinfect their machines before the 3rd of February," said F-Secure in its blog.

Nyxem's payload will delete all Word, Excel, PowerPoint, and PDF file types from a compromised PC. The multi-faceted malware will also attempt to propagate itself both through email and as a network worm, which can be particularly damaging on closed networks.

"Nyxem is certainly malicious. It can be delivered via email, but also as a network worm. It probes other PCs on a closed network to compromise them and send itself to the other computers, to infect as many hosts as possible," said Jason Steer, technical consultant at security company Ironport, on Thursday.

The malware hides in attachment types not typically blocked by attachment filters.

Companies are unlikely to be directly affected by the virus if they are running up-to-date antivirus software, said Ironport, because the major antivirus vendors have now released patches. But the company warned on Thursday that firms could experience secondary effects as the virus tries to propagate itself by harvesting email addresses on an infected machine.

"The knock-on effects will come as compromised PCs try to communicate with businesses. This will cause additional email and network traffic, and possible slow down email response time," said Steer.