SirCam is a sophisticated worm that will infect files shared over an open network so most people will never see the original infected e-mail associated with the worm. SirCam (w32.Sircam@mm) also contains a dangerous payload: It may delete all the files on the C drive in mid October. Antivirus vendors are continuing to examine the worm while reports of infection increase worldwide. SirCam currently ranks as a 6 on the ZDNet Virus Meter.
How it works
SirCam initially arrives as an e-mail message with the following information in either English or Spanish:
Body: (Random content -- see below)
The body of the e-mail will always begin with "Hi! How are you?" and end with "See you later. Thanks." In between these opening and closing lines will be one of the following:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I send you
This is the file with the information that you ask for
If a user clicks on the attached file, SirCam will copy itself to the Windows System directory with the name scam32.exe. The worm changes the Windows registry key so that it always launches upon system startup. The worm will check to see if there are any open shares on a network and if so, SirCam will copy rundll32.exe to the system, renaming the existing rundll32.exe to run32.exe.
SirCam contains its own e-mail capabilities using SMTP (similar to a feature found in the Magistr virus).
SirCam also spreads among open file shares on a networked system (in other words, if you can access other directories on other machines, that's an open file share). Antivirus vendors are suggesting that many more people will be exposed to SirCam via open networks than through e-mail. It is possible that individual computers on a shared network could become infected multiple times until all instances of the worm are removed from the shared network.
Removal and prevention
Antivirus software companies are in the process of updating their signature files to include SirCam. For more information on removing SirCam from your system, see Sophos, Symantec, McAfee, Central Command, and Trend Micro.
Here are the basic steps for containing this worm:
Download Microsoft's Outlook Security Patch. If you haven't already installed it, download the Outlook 98 Security Patch or the Outlook 2000 Security Patch. Please note that this patch does not include Outlook Express. Click here for help with installation, or for more information regarding this patch.
"Don't open attachments!" One of the best ways to prevent virus infections is not to open attachments, especially when worms such as SirCam are being actively circulated. Even if the e-mail is from a known source, be careful. A few worms take the mailing lists from an infected computer and send out new messages with its destructive payload attached. Always scan the attached files first for worms. Unless it's a file or an image you are expecting, delete it.
Get protected. If you don't already have virus protection software on your machine, you should. If you're a home or individual user, it's as easy as downloading any of these top-rated programs then following the installation instructions. If you're on a network, check with your network administrator first.
Scan your system regularly. If you're just loading antivirus software for the first time, it's a good idea to let it scan your entire system. It's better to start with your PC clean and free of virus problems. Often the antivirus program can be set to scan each time the computer is rebooted or on a periodic schedule. Some will scan in the background while you are connected to the Internet. Make it a regular habit to scan for viruses.
Update your antivirus software. Now that you have virus protection software installed, make sure it's up-to-date . Some antivirus protection programs have a feature that will automatically link to the Internet and add new virus detection code whenever the software vendor discovers a new threat. You can also scan your system for the lastest security updates here.
Is your PC safe? Find out in ZDNet UK's Viruses and Hacking News Section.
Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.