Nyxem worm: Quiet so far

"So far, we haven't received any Nyxem damage reports," writes Mikko Hypponen, manager of anti-virus research at F-Secure, in his Weblog. F-Secure has been tracking Nyxem infections over the past few weeks. According to Hypponen, "The vast majority of the machines infected by Nyxem are home computers."

According to Hypponen, this may indicate that "the full scope of the problem won't come to light until the weekend or early next week" when home-computer users find out their files have been overwritten by the Nyxem worm.

Marc Solomon, director of product management at McAfee -- which calls the Feb. 3-activating virus the MyWife worm -- also said there were no indications of widespread destruction at this point.

F-Secure and McAfee see the most frequent worm infections in India. McAfee said Peru is somewhat of a hot spot relative to the lack of activity seen elsewhere. He speculated this may be because computer users in these countries don't use anti-virus software as frequently as those in other countries.

Anti-virus firms, which have known about the Nyxem worm for two months, have provided anti-virus updates that protect against Nyxem. There are an estimated 300,000 infections of Nyxem in computers worldwide, with a possible 100,000 in the U.S.

Anti-virus software vendors Sophos and Symantec also say they see no signs at all of Nyxem infections activating a payload to wipe out files in infected computers.

"Globally, we have a grand total of zero reports of damage," says Graham Cluley, senior technology consultant at Sophos. Sophos provides security software to enterprise customers, not consumers, so its analysis doesn't reflect what might occur to home PC users.

Cluley acknowledges that certain quarters of the anti-virus industry had anticipated widespread destruction from Nyxem, so "everyone's looking a little sheepish." The widespread attention to Nyxem from the media led to warnings about Nyxem from CNN and ABC News, among others, but so far Nyxem has not brought about the kind of damage that had been anticipated.

Most anti-virus software providers have not been alarmist about Nyxem because their anti-virus products had been updated for several weeks to protect against the virus.

The Russian stock exchange shut down for about an hour Thursday, purportedly because of a virus outbreak. The Russian exchange has resumed today. So far, there's no information to indicate the Nyxem virus played any role.

About the Nyxem worm, Cluley said the security industry had been aware for a few weeks of a Web site (which he declined to specify) that the worm, once it had infected a machine, would contact as a way to call home and report it had infected a computer.

The security industry was watching a Web-counter mechanism for the site to ascertain how many machines were infected. However, these numbers were probably greatly exaggerated because the Nyxem worm called the site multiple times from each machine, and hackers were pinging the Web site to drive up the numbers. "The data was bogus," says Cluley, saying this was recently determined by examining the records of an ISP he declined to name.

Nevertheless, Sophos still thinks Nyxem is the "third most commonly encountered virus" on the Internet, based on its own e-mail sampling methodology, Cluley says.

Symantec's senior director of the Symantec security response center, Vincent Weafer, calls Nyxem "primarily a non-event." Symantec, which provides both consumer and enterprise anti-virus products, has seen almost no reports at all of Nyxem becoming activated on Feb. 3 to destroy computer files in desktop PCs. "In Asia, we had three or four calls about it," Weafer says. "That's it."

Part of the reason Nyxem is a dud is that it doesn't always work right in trying to execute its payload, Weafer points out. Nonetheless, Nyxem is still circulating as an e-mail-borne virus and will continue to try to activate its payload on infected computers on the 3rd of every month from here on.

That means both consumers and businesses will want to make use of some tools - several of the anti-virus vendors, including Symantec, have made free tools available - to eradicate any trace of it from their machines.