July 23, 2001 3:30 PM PDT
SirCam clogs mailboxes, spreads secrets
SirCam worm cripples e-mail
Vincent Gullotto, senior director, McAfee's Avert Labs
The worm, which cropped up last week, continued to infect systems across the world over the weekend.
"It's not quite a 'Love Bug,' but it's spreading very virulently," said Vincent Weafer, director of software maker Symantec's Antivirus Research Center in Santa Monica, Calif. Symantec rates the worm a four on its scale of one to five, with five being the most dangerous.
Zachary Gaulkin, editor of news site MaineToday.com, said he arrived at work Monday to find thousands of infected e-mails, some with attachments as large as a couple of megabytes each.
"I had 3,200 in my in-box this a.m., and they are still coming in," Gaulkin said in an e-mail interview.
Like many other worms, SirCam spreads by e-mailing copies of itself to everyone in the infected computer's Microsoft Outlook address book. An added twist with SirCam is that the worm sends a random file from the infected computer's hard drive, potentially sending confidential business data or embarrassing personal information along with it. The subject line matches the name of the file being sent.
"That's a far more serious consequence for a person or business," Weafer said. "Once a document is gone from your organization, it's gone."
Pennsylvania e-mail user Carl Schaad said he had received numerous infected messages by Monday morning, including many with sensitive attachments. "I've already received memos, resumes, job listings and, in one case, a Visa number in a letter written to Amazon.com," he said.
Worm-infected messages received by CNET News.com have included titles such as "Dear Diary," "expense distribution," "Wayne Gretzky" and "Pork with Leeks and Egg."
One factor limiting the likelihood that such files will actually be read is the fact that most network administrators set their e-mail gateways to delete infected files. However, the settings can be changed to allow worms to be removed and the infected files opened.
Weafer said the company received about 400 new reports of the worm Monday morning from customers and those who use its Web site. That's about the same number that came in on Thursday and Friday.
Network Associates' NAI Labs on Monday upgraded the worm to a level of 'high risk' from its previous 'medium risk' designation, noting the virus can be spread not only to addresses listed in the Windows address book files but also those stored in a Web browser's cache files.
Chris Ashurst, a resource management consultant in British Columbia, considers himself lucky that he didn't infect his friends and colleagues after receiving the file on Friday.
Ashurst said he considered opening the file but decided it was a bit cryptic. When the next message from the same address was another copy of the same large attachment, he decided to put them both in the trash can and empty it.
"I'm also the local, self-taught amateur system admin guy for the office, and luckily I managed to alert the rest of the office before they got infected, too," Ashurst said in an e-mail interview.
An e-mail bomb
Kim Kruse of Huntsville, Ala., said a deluge of SirCam messages made it hard for her to do anything online Monday. "I am on a dial-up (Internet account), and each file is about 185-200 kilobytes, so it is really clogging up my speed when it downloads," she wrote in an e-mail interview. "It has taken almost an hour to check my mail this morning?It just keeps coming in like an e-mail bomb."
British e-mail screening specialist MessageLabs reported seeing 7,129 copies of the worm as of noon Monday British time.
"Although we have seen significant numbers of this virus in the U.S., we believe that Europe is still waiting to feel the brunt of the SirCam virus," MessageLabs Chief Technology Officer Mark Sunner said in a statement.
Although SirCam continues to spread, it appears to be getting caught before it can do much damage.
"We're seeing it bounce off the firewall," said David Perry, global director of education for antivirus software maker Trend Micro. "I am not seeing any reports of destructiveness."
Perry noted that while most viruses appear to come from someone the recipient knows, this one can also come from strangers because it uses both address books and information stored in the Web browser's cache files to search for e-mail addresses.
"If you visit a Web page and there is in the HTML (code) an e-mail address included...then that email will be among the recipients if the virus is executed on your machine," Perry said.
As a result, SirCam is hitting individuals as well as corporations that use Microsoft Outlook. Trend Micro said late Monday that 2,117 people had reported infections to its Web site in the preceding 24 hours.
"That's up substantially in the past couple of hours," Perry said. "It's still overshadowed by an outbreak of the Love Letter.A virus in Africa."
So far, the worm still can be recognized because the text of the message contains one of three messages in either Spanish or English. They are "Hi! How are You?" "I send you this file in order to have your advice" and "See you later. Thanks."
MessageLabs said the English body text was present in 86 percent of the copies it received, with the remaining 14 percent bearing the Spanish translations.
Typically, variants crop up in which the body text of a worm is changed, but Weafer said so far he has seen only the single strain of SirCam.
"I would not be surprised if we did see variants," he said.
While SirCam's self-propagation is typical of a worm, it also has several characteristics of a virus, including the ability to attach itself to files.
Besides sending torrents of e-mail, SirCam can perform several destructive acts based on a combination of arcane PC settings and chance. If the infected PC uses the European date format (day/month/year), for example, there is a 1-in-20 chance that the worm will delete all files and folders on the hard drive on Oct. 16.
The worm is also "network aware," Symantec reported, meaning it will search for network resources and attempt to propagate itself to attached systems.
News.com's David Becker contributed to this report.