Now it's getting personal - the prying email virus

More internet news

Stuart Millar Technology correspondent Tuesday July 24, 2001 The Guardian

Europe was last night braced for the onslaught of an email virus which has the power to send your most embarrassing documents and pictures to every name in your electronic address book. Hot on the heels of the Love Bug and the Anna Kournikova worm, comes SirCam, a nasty strain which first appeared last week and is spreading rapidly across the internet.

Last week, virus scanners were registering only one or two copies of SirCam a day and it was assumed it would fade into obscurity. But yesterday, with the tally of infected mail rising to almost 4,000 within 24 hours - most of it originating in the US - security experts warned European users to put up the barricades.

Like all previous mass mailer viruses, SirCam arrives in the form of an email attachment. If opened by the recipient, it sends itself to every name on the victim's address book. By spreading in this way, viruses such as the Love Bug quickly became global outbreaks, causing millions of pounds worth of damage to computer systems.

But SirCam has an even nastier trick up its sleeve. Before forwarding itself on, it raids the infected PC's My Documents folder - where most users store their most private or sensitive material - and randomly selects a file which it sends out with the infected email.

Confidential commercial files, such as client lists or new product information, could be sent around the world in seconds, as could more revealing personal documents, such as job applications or private letters.

"There are serious implications for security and privacy," said Alex Shipp, senior anti-virus technologist at MessageLabs, a Gloucester-based virus scanning service which has intercepted almost 8,000 infected emails since last week. "The virus could pick any file that is in there, and if it picks something questionable, the user could be seriously embarrassed."

To add insult to injury, SirCam, which is believed to have originated in Latin America, also goes through the computer's web cache - the store of internet sites the user has visited - and emails itself and the document to any addresses it finds on there.

Popular websites, such as news and sports services, reported yesterday that although they had avoided infection, they were being deluged by unwanted mails generated by the virus.

SirCam's novel design and behaviour are disturbing evidence of the increasing technical sophistication of virus writers. In previous outbreaks, the initial explosion of the virus was usually contained within a few days. SirCam, however, has been able to thrive because it does not always put the same message in the email subject line. Instead, it puts the name of whichever file it has raided from the My Documents folder.

The body of the email is also semi-random, but always contains the same lines at the beginning and end, in either English or Spanish. In the English version, the first line is "Hi! How are you?" and the last is "See you later. Thanks." The virus is not activated until the attachment to the email is opened.

"It certainly has a couple of new tricks", Mr Shipp said, "and that is all it takes to get a big explosion these days."

http://www.guardian.co.uk/Distribution/Redirect_Artifact/0,4678,0-526550,00.html

-- Martin Thompson (mthom1927@aol.com), July 25, 2001