Protected companies need not fear Blackmal worm

Computerworld - The Blackmal e-mail worm, which is programmed to delete certain files on infected machines this Friday, should pose little threat to organizations that have implemented basic security best practices, according to analysts.
But the worm, which goes by more than a dozen different names, highlights the need once again for the industry to come to some sort of a consensus for identifying viruses in a standard fashion, they added.
The Blackmal threat, also known as Nyxem.E, Grew A., Kapser, Mywife and Kama Sutra, spreads via e-mail attachments or file shares.
According to a description of the worm on the SANS Institute Web site, once the worm infects a system on a network via e-mail, it tries to infect all shared file systems it has access to. The worm also attempts to disable and delete most antivirus products on the machine and then e-mails itself to others using a variety of file names and extensions, said Bethesda, Md.-based SANS.
The worm's payload is triggered to go off on the third of every month, when it deletes information from common file formats on the infected system.
"The worm regularly checks the system time. When the system data is the third of the month, 30 minutes after the victim machine is booted, Nyxem will delete information from common file formats, replacing data with a meaningless set of symbols," according to an advisory from Kaspersky Labs.
As a result, the consequences can be severe for users whose systems are infected by the worm, said Ken Dunham, director of malicious code research at iDefense Inc. in Reston, Va.
"Generally, we don't see that many worms sent out that attempt to delete data" on infected systems, Dunham said. "So obviously this is a concern. But it is more of a home- and small-office threat," he said.
For most larger enterprises, Blackmal presents a well-understood type of threat that is relatively easily blocked using up-to-date antivirus signatures and filtering techniques, he said.
"In most cases, blocking executable and unknown file types at the e-mail gateway is enough to prevent the worm from entering a network," according to an advisory by Chicago-based security firm Lurhq Corp., which also published Snort signatures to detect infections of the worm.
The worm also requires administrator rights to be present on a computer for it to do any damage, Dunham said. "In an enterprise network environment, they usually lock down such rights" to prevent code execution and installation, he said.
The fact that the worm does not attempt to get across virtual