SirCam Ready to Drop Payload
I send you this article in order to give you advice: SirCam, the annoying e-mail worm that simply won't go away, will turn feral Oct. 16.
According to analysis of SirCam's code, every year on Oct. 16 the worm will delete all the files and folders contained on the hard drives of randomly selected SirCam-infected computers.
Those who have clicked on a file attached to an e-mail that reads, in part, "I send you this file in order to have your advice," have a few days to make sure the worm is not lurking in their computers.
After that, they may become unwitting participants in the worm's nasty little game of chance next Tuesday, when SirCam will begin deliberately selecting victims for mass file deletion from among all infected computers' whose "Date/Time" system settings use the "Day/Month/Year" format. It will not activate on computers that use the "Month/Day/Year" format.
SirCam, which first surfaced mid-July, is still quite active. Computer Economics, a technology research firm, estimated that by the end of August, SirCam had infected 2.3 million computers.
Messagelabs, an antiviral service firm, saw 143,949 copies of SirCam being passed around in e-mails during September, a figure in line with the totals given in other antiviral aoftware companies' reports.
Any PC running Windows 95, Windows 98, Windows Me, Windows 2000 or Windows NT can be infected with SirCam by clicking on a virus-laden e-mail attachment. The virus can infect users of those operating systems no matter what e-mail program they use since it takes advantage of a vulnerability in Microsoft's operating systems.
Mac and Linux users can only be infected if they are running a Windows program emulator, an application that allows them to run PC programs.
Due to a glitch in SirCam's code, the worm does not replicate on Windows NT or 2000 computers, but its other capabilities seem to remain active.
SirCam has two "payloads" -- destructive actions that it performs on infected computers -- both controlled by random numbers generated by the worm.
On Oct. 16, the worm will generate a number that has a one-in-20 chance of matching a number contained in the worm's code. If it matches, the infected drive will be freed of all its files.
The other payload, also activated by a random number generated by the worm, happens when a computer is first infected with SirCam. Here the odds are one in 50 that the virus will completely fill an infected machine's hard drive with a string of text.
The text string appears to roll the virus' credits and reads as follows: '(SirCam Version 1.0 Copyright 2001 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico)'
The town of Cuitzeo holds a big festival on Oct. 16.
Ridding a machine of SirCam is not an easy task, according to Vincent Gullotto, senior director of McAfee AVERT Labs".
"It is very important that SirCam files are not simply deleted if found, since this will make the PC unusable until various registry modifications have been made," Gullotto said.
But many antiviral companies have provided free, easy to use SirCam removal tools that will safely purge the worm from infected systems.
SirCam has topped antiviral companies' threat lists since shortly after its debut, and continues to stream into many in-boxes.
"Very few antiviral products were able to detect SirCam at first, and the social engineering was simple but effective," said Alex Shipp, senior anti-virus technologist at Messagelabs. "A few lines in an e-mail exhort you to open the attachment, and when you do, you see the thing you were expecting, so you don't realize the PC has become infected."
SirCam picks up a random file from an infected computer, inserts the virus into that file, and then e-mails it as an attachment to random e-mail addresses culled from a users e-mail address book and internet cache files.
Shipp said that Messagelab's statistics show SirCam still tops the charts as the most prevalent virus.
Shipp also said that the general virus per e-mail rate is rapidly increasing.
"The ratio was around one virus per 1,500 e-mails for the whole of 1999. Now it is around one virus per 500 e-mails. It seems that old viruses do not die out, but instead reach a steady state level at which new PCs become infected at the same rate as infected PCs are cleaned."
Antiviral software is not foolproof. Viruses and worms can waltz merrily by any antiviral software that looks for specific, known threats. Until the antiviral companies analyze the new worm or virus and release an update to their software -- a process that can take a few days -- a new or modified virus can spread rapidly until the update is released and users download it.
"Whenever we have to rely on any user intervention for virus prevention, there will never be a way to stop any virus all the time," Steven Sundermeier, president of Central Command, said. "It is our responsibility to develop future tools that will take these decisions away from the user."
But other experts said that it's time for users to educate themselves, instead of blaming software companies for releasing products with security holes that allow worms to propagate.
"Microsoft has gotten a bad rap," Tom Liston of Hackbusters said. "Does their software have flaws that allow these things to proliferate? Sure. But that is really, really old news. The folks in Redmond should -- and did -- take the heat for the first few times this happened, but it's now time for 'Joe User' to step up and take his dose of responsibility."
