SirCam worm "high risk" but not rife

The current No 1 bug is still spreading, but it's not a blockbuster like Love Letter, say antivirus experts. The reason? It's bouncing off corporate firewalls.
Written by David Becker, Contributor
The SirCam worm continued to spread Tuesday, although antivirus experts said it still paled in comparison to other destructive programs.

"We escalated this to 'high risk', but it is not a blockbuster virus on the order of Love Letter or Melissa, said David Perry, global director of education for antivirus-software maker Trend Micro. "This is a summer-cold virus."

As of Tuesday morning, SirCam was the No 1 bug, according to Trend Micro's World Virus Tracking Center, with more than 7,100 infections reported to the company from around the world.

"For reference, that number in the middle of the Love Letter attack was well over a million," Perry said.

SirCam was also No 1 at antivirus-software maker McAfee, with 144,000 infections reported in the past 24 hours. McAfee rated the virus "high risk".

A major part of the reason the worm has stayed below epidemic status is that the most fertile breeding grounds for a worm--large corporate email systems--are for the most part equipped with security filters that reject infected messages.

"Among our corporate clients, we haven't had anyone actually infected at all," Perry said. "It's just bouncing off firewalls by the tens of thousands."

"If it was going to be an outbreak, that would have happened by now," said Vincent Gullotto, senior director of McAfee's AVERT Labs. "Because of the enterprise protection in place, that just isn't happening."

That's a testament to the security lessons big business has learned since Love Letter and similar outbreaks, Gullotto said. "I think the Fortune 500 companies have really learned a lot in the last couple of years," he said. "It's really what's helped prevent things since Love Letter from becoming so grandiose."

The SirCam worm, which surfaced last week, spreads by emailing copies of itself to everyone in the infected computer's Windows address book. It also sends itself to any email addresses contained in the Web browser's cache files, which store recently viewed pages.

An added twist with SirCam is that it sends a randomly chosen file from the infected computer's hard drive, potentially sending confidential business data or embarrassing personal information along with itself. The email subject line matches the name of the file being sent.

The main threats posed by the worm are security breaches from sending possibly confidential documents and the inconvenience of sorting through the torrents of email the worm generates. But SirCam can also perform several destructive acts based on a combination of arcane PC settings and chance. If the infected PC uses the European date format (day/month/year), for example, there is a 1-in-20 chance that the worm will delete all files and folders on the hard drive on Oct 16.

The worm is also "network aware", Symantec reported, meaning it will search for network resources and attempt to propagate itself to attached systems.

Though it hasn't built anywhere near the explosive force of the Love Letter virus, several aspects of SirCam are likely to make it a lingering nuisance, Perry said. For one, the worm contains its own SMTP email program, meaning it doesn't have to depend on Outlook, as many other worms have.

"Viruses tend to come on the scene and make a flash in a couple of hours; Anna Kournikova was already gone by the second day," Perry said. "The reason is these were known exploits. They all used Microsoft Outlook; they all searched for email addresses in the same place.

"(SirCam) uses SMTP, so it works with every mail client. And instead of just using your address book, it uses the browser cache. That changes the nature of the virus substantially."

McAfee's Gullotto said the main problem at this point is for individual users, who usually lack the screening tools and other protection employed by big businesses.

"Ninety percent of the people who send us samples (of SirCam infections) are end users," he said. "I think SirCam will fade for a bit, but it could linger on for some time in this certain area."

Part of the lesson is that consumers need to have better protection both on their PC and on whatever networks it attaches to.

"You should probably have a conversation with your ISP about why they aren't blocking these messages," Gullotto said.

Added Perry: "I foresee that as more malicious code uses the Internet, the protection against malicious code will have to migrate off the desktop. People need to start asking, 'Why isn't your ISP offering you protected email and protected Internet connectivity?'"

Editorial standards