SirCam slowing, but threat lingers

The worst is over, but don't let down your guard yet. The email worm is slowing down but it continues to spew out messages and share documents.
Written by Robert Lemos, Contributor
The SirCam worm slowed its advance Thursday but remains a threat, antivirus experts warned.

"The worst is over, but we won't see a huge drop-off yet," said David White, technical manager for British email service provider MessageLabs. "It is still by far the most prolific virus that is currently spreading."

Although the weekend saw a small drop in the rate of infection, the number of copies of SirCam caught daily by MessageLabs continued to grow early this week, topping 10,000 messages on both Tuesday and Wednesday.

On Thursday, that growth stopped. Though MessageLabs had not posted final numbers for the day, it had intercepted only about 4,000 worm-laden emails by midday.

Part of the reason for the drop is that companies have gotten their houses in order, said Vincent Gullotto, director of antivirus research for PC software company Network Associates.

"It didn't get to outbreak status, because corporations were able to block it before it got in," he said.

The worm is a mass mailer, working in a manner similar to the Love Letter and Magistr infections.

SirCam spreads by sending email messages with infected attachments. While the message's subject line varies, the body generally contains the same text: "Hi! How are you? I send you this file in order to have your advice. See you later. Thanks." A small number of messages have similar text in Spanish.

Opening the attached file on a PC running Windows will infect the victim's computer. The worm appends itself to a file randomly selected from the infected computer's "My Documents" folder and attaches that to an email. Messages are sent to everyone in the person's Windows address book and to any email addresses in the Web browser's cache file, where images of recently viewed pages are stored.

The virus has been responsible for leaking corporate documents, password files and, in one case, official FBI documents.

For home users, the virus is still a danger, said MessageLabs' White.

"There are an awful lot of home users that have no antivirus protection today, and that can be catastrophic," he said.

Email users writing in agreed, saying the virus was clogging Internet access and sharing confidential information.

"I think this virus is being extremely underestimated," wrote one email user, who had received five infected messages.

Network Associates plans to reduce its rating of the virus from "high" risk to "medium" sometime next week.

Editorial standards