Pete Lindstrom of Spire Security has a great post on some of the mania inherent to the possibility and reality of virus outbreaks. His little exp

This isn’t an “analysis” – it is flippant because it makes fun of our evidence, not the potential impact of the worm itself, which I agree has a much more destructive payload than most worms do and deserves some attention. I guess my worry is that the threat level really isn’t obvious and yet we are treating it as such.

Decompiling the worm helps with payload, but I don’t see how it helps with the counter. Keep in mind that any access increments the counter, so two ways right off the bat where I can doctor it are 1)write a script that requests that page and just loop it; or 2) mimic the worm and keep it running on a test machine. I still suspect the counter can be incremented manually, but I haven’t done any detailed analysis.

Part of the problem with this type of evidence is simply that we jump to conclusions that support our way of thinking. If this counter were of, say, the number of machines on the Internet that aren’t 0wn3d, then everyone would make fun of it. But because it fits in with our view of the world, we trumpet it from the highest mountain. I think that is dangerous and it creates a blindside.

First, the actual worm code has been decompiled so they should be able to tell whether the worm is incrementing the counter by 1 or 10k per infected machine. Also it seems http://webstats.rcn.com/ are a normal webstat monitoring service, not under the control of the worm creator, making it difficult to jimmy the stats before hand, but not impossible.

It would be nice to see some evidence beyond the web counter though. It seems two AV sensor networks, F-Secure and Symantec disagree. F-Secure has the threat at 2nd on their malicious activity list, and Symantec’s DeepSight analyser seems to not be picking up anything ‘anomalous’.

I guess we will just have to wait till Feb 3rd to guage the impact.