Antivirus Vendors Warn Against Sircam Atypical e-mail-born worm, Sircam, appends your Windows files to an e-mail and sends it on.

Ellen Messmer, Network World Fusion

Friday, July 20, 2001

Antivirus software vendors are raising the alarm about a Windows-based e-mail computer virus dubbed Sircam that can potentially wipe out files on a hard drive or make a computer crash, although it doesn't appear to do so consistently.

Sircam is yet another computer virus that arrives with an e-mail attachment, asking gullible victims--in either Spanish or English--to open an attached document, at which point its damaging payload strikes. Although Sircam doesn't consistently damage every computer it lands on, it may randomly create a new file in a victim's hard drive in order to fill it up and make it crash, or simply delete all the files on the machine.

As an e-mail-born virus that mails itself using a victim's Outlook directory, it can also wreak havoc by jamming e-mail servers. "It's been reported by more than 25 different corporations already, so we're drawing attention to it," says Steve Trilling, director of research at Symantec's antivirus research center, where the security vendor analyzes new computer viruses and finds defenses for them. Many antivirus vendors, including Network Associates (McAfee) and Trend Micro, also have updates to defend against Sircam.

A Windows Virus That Grows Sircam differs from e-mail viruses like the recent Anna Kournikova virus in that Sircam is a Windows program that can search a hard drive for document files, Excel spreadsheet files, Zip files, or executable files, and then append them to the end of the attachment it sends.

"It doesn't show up as a second attachment--it just gets bigger," Trilling says. "It's a strange thing, adding it to its own program."

Though Sircam isn't the most destructive virus that the antivirus software vendors have seen, its atypical features have made it a curiosity to antivirus experts eager to see it wiped out.

"What's unique is that it randomly grabs a file name and uses it as a subject line," says Vincent Gullotto, senior director at McAfee's Avert Labs, about the Sircam virus. "Most viruses come with a single subject line or one that gets rotated periodically."

Its ability to change the subject line is causing otherwise cautious people to open the Sircam e-mail attachment.

McAfee has seen the virus slowly succeed in spreading itself over the last few days.

-- PHO (owennos@bigfoot.com), July 20, 2001

Answers

just got this from my wife.
A word of addvice: If it a letter has lame speeling then be leary, unless it is a letter from someone who has really pour spelling, then all bets R off. :)

Subject: Virus Alert
McAfee.com has seen a large and growing number of consumer computers
infected with W32/SirCam@MM. This is a HIGH RISK VIRUS FOR CONSUMERS. The
infected email can come from addresses that you recognize. Attached is a
file with two different extensions. The file name itself varies.
The email message can appear as follows:
> --------------------------------------------------------------------------
--------------------------------------------------------------
Subject: [filename (random)]
Body: [content varies]
---ENGLISH VERSION---
Hi! How are you?
I send you this file in order to have your advice
or I hope you can help me with this file that I send
or I hope you like the file that I sendo you
or This is the file with the information that you ask for
See you later. Thanks

---SPANISH VERSION---
Hola como estas ?
Te mando este archivo para que me des tu punto de vista
or Espero me puedas ayudar con el archivo que te mando
or Espero te guste este archivo que te mando
or Este es el archivo con la información que me pediste
Nos vemos pronto, gracias.

-- (perry@ofuzzy1.com), July 20, 2001.