SirCam worm goes global

It's a little like comparing apples to oranges, but there are two very active worms currently spreading across the Internet.
Written by Robert Vamosi, Contributor
It's a little like comparing apples to oranges, but there are two very active worms currently spreading across the Internet.

While network administrators battle the Code Red worm, PC users around the world are contending with increasing reports of the prevalent SirCam worm. According to Dave White of the antivirus software company MessageLabs, SirCam is unlike any virus to date because of its ability to evade most realtime virus scanners. Its polymorphic nature goes undetected. "It isn't instantly recognizable," he said.

There's also a degree of social engineering at work as well--since the attachment changes randomly, some people are honestly duped into opening it, thinking it's legit. White said that the virus may be spreading more quickly because a lot of people have been on vacation during the end of July, haven't heard of SirCam, and are only now returning to work and innocently opening their e-mail.

MessageLabs had predicted a minor bump in SirCam infections for Monday, July 30, however, the number of infections reported to site actually peaked the following day, on Tuesday, July 31. More important, the number of infections reported on July 31 was higher than the number reported the previous Tuesday, when SirCam was thought to have peaked. Overall, MessageLabs has reported more viruses from its users during the month of July than ever before--compare 140,000 infections to the previous record of 90,000.

With SirCam, "we have seen no sign of a drop-off," said White, whose lab had predicted the worm would be contained sometime this week. He hesitated this morning to speculate when the SirCam virus might begin to die out. "It's been reported in every country," he added. Currently, SirCam is MessageLabs' number one virus, easily outdistancing past champions, Magistr and Hybris.

One reason for SirCam's continued success might be that it isn't limited to e-mail; it is also a "network-aware" worm. For example, a shared file on a corporate network can become infected with SirCam and infect any other computers that access that file. "We're seeing a lot of infections from major corporations," said White. Since SirCam chooses its attachments randomly from infected hard drives, there have been reports of "sensitive documents" leaking out into the world.

Joe Hartman of Trend Micro agreed. Once SirCam is on a networked system, it becomes an IT nightmare. Just cleaning it off one machine isn't enough. "You have to find which machine is infecting the network, or you'll continue to re-infect your machines."

SirCam is destructive. There's a one in fifty chance that an infected computer will either have its hard drive erased or completely filled with garbage on October 16th. MessageLabs' White declined to speculate why the virus writer chose to do this. It might "just be scaremongering--'look at at what I can do.'" Given the spread of SirCam, the problem would be much worse than it currently is if it had been destructive each time, White said.

Editorial standards