The contents of this legacy page are no longer maintained nor supported, and are made available only for historical purposes.

Nyxem Spread in the Americas

The Spread of the Nyxem (or Blackworm or Kama Sutra or MyWife or CME 24) Virus in the Americas in January and early February 2006.

Support for this work was provided by Cisco Systems, NSF, DHS, and CAIDA members.

Cooperative Association for Internet Data Analysis University of California at San Diego San Diego Supercomputer Center Cisco Systems National Science Foundation U.S. Department of Homeland Security

In most countries with significant numbers of computers infected by the Nyxem virus, the infection peaks in the first few days of virus spread. However in many Spanish-speaking countries in the Americas, the virus does not take hold until four days after it has peaked on the other continents and in other countries in North America in which Spanish is not the dominant language.

This effect is most prominent in Peru, although it is visible as either the primary peak in infection rate, or a new surge in infections, in most Spanish-speaking countries in the Americas. The timing of the second infection peak is otherwise unusual, as it coincides with a weekend -- typically a quieter period in virus spread as people engage in recreational activities away from computers.

The infected population in Peru is highly unusual -- it's peak rate is an order of magnitude larger than that of other countries in the region. Despite significant investigation in search of specific anomalies that could represent denial-of-service attacks or other activity causing non-virus-related hits on the website used to track the progress of the virus.

Spain, a Spanish-speaking country outside the Americas, shows an infection peak in the first two days of virus spread, as is typical for most other countries with significant infected populations. Brazil, a Portuguese-speaking country in South America also shows the typical infection pattern with an early peak, leading us to wonder if a Spanish-language variant of the worm was released four days after the initial version. It is also possible that this unique pattern is an artifact of the normal person-to-person spread of the email virus. The United States and Canada show the typical infection peak in the first two days of virus spread.



About the Authors:

David Moore is the Technical Director of CAIDA and Ph.D. Candidate in the UCSD Computer Science Department. Colleen Shannon is a Senior Security Researcher at the Cooperative Association for Internet Data Analysis (CAIDA) at the San Diego Supercomputer Center (SDSC) at the University of California, San Diego (UCSD). David and Colleen also run the UCSD Network Telescope. The Network Telescope and associated security efforts are a joint project of the UCSD Computer Science and Engineering Department and the Cooperative Association for Internet Data Analysis.

This work was sponsored by:

Cooperative Association for Internet Data Analysis University of California at San Diego San Diego Supercomputer Center Cisco Systems National Science Foundation U.S. Department of Homeland Security
Grants from
Cisco Systems, the National Science Foundation (NSF), the Department of Homeland Security (DHS), and CAIDA members.

Published