A virus that scheduled to begin deleting files from infected Windows computers is unlikely to result in widespread damage, security vendors have said.
F-Secure had been in contact with one large US company that had "tens of thousands of infected computers," said Mikko Hypponen, F-Secure's chief research officer.
The company -which Hypponen declined to identify but said was not an F-Secure customer - had been working to cleanse the machines. It may keep its computers switched off Friday as a precaution until it can be sure they are virus-free.
There had been no reports early Friday of data being wiped out, although antivirus vendors said it may take a few days for problems to emerge, especially for consumers, who are less likely to notice damage right away. The virus has several names, including Blackdoom, Nyxem, Kama Sutra and Mywife. It was detected in mid-January.
Antivirus vendors have been updating their software to protect and cleanse machines of the destructive code, said David Emm, senior technology consultant at Kaspersky Labs. The malware contains code that will overwrite most files on a computer on the third day of each month, replacing them with error messages.
Computers become infected if a user opens a PIF (Program Information File) attachment contained in an e-mail. In addition to dropping the destructive code on a computer, the worm harvests e-mail addresses and sends itself out again. The emails often uses the promise of pornography to lure users into opening the attachment, a relatively dated method.
Up to 300,000 machines may be infected worldwide, with concentrations in India, Turkey, Mexico, Peru and Australia, according to antivirus vendors. The spread of e-mail worms is fairly random, Hypponen said.
Those countries may be affected the most if the worm happened to find computers with big lists of e-mail addresses in those countries to mail itself out to, Hypponen said.
India appeared to have been infected the most as of Friday morning, with the virus emanating from around 4000 IP addresses in that country, said Alex Shipp of MessageLabs. About 1000 IP addresses were affected in the US, and 102 in the UK, he said.
It may take a few days for the "sob stories" to emerge from hapless users, Shipp said.
The number of attacks against customers of SecureWorks has doubled since Tuesday to 939, the company said. It reported the most activity in India, Australia and the US.
Machines protected by antivirus software could still be vulnerable since other malware, such as the Bagle virus, can shut off those programs, Hypponen noted.
Publicity surrounding the worm may have made users more careful about protecting their computers. A chain of computer stores in the UK was warning users of the worm on its call-in number.
"At the moment, we are not sure of the impact of it," said Omar Qureshi, who works on the PC service team for PC World stores. It may be three or four days before reports of problems trickle in, he said.