As reported earlier, the worm embeds itself in random Microsoft Office documents before sending itself and the attachment to all names in the victim’s email address book.
Besides putting confidential documents at risk, the worm could also be deleting files and degrading the performance of infected PCs come October 16, said Symantec.
October 16 is said to be the worm’s “payload trigger”, a condition--such as a date, the execution of certain programs or even the availability of an Internet connection--that causes a worm or virus to activate its malicious activity.
According to the security software firm, there's a 1-in-20 chance that the worm will delete all files and directories on the infected hard drive. However, this will only occur on systems using DD/MM/YY as the date format.
There's also a 1-in-33 chance that it will fill all remaining space on the hard disk by adding text to the file c:\recycled\sircam.sys at each startup, the company said.
Unfortunately, W32/SirCam.Worm@mm is difficult to detect from the subject line--which will be the file name of the attached document--or its message.
The latter, however, will be semi-random, containing either "Hola como estas?" or "Hi! How are you?" as the opening line, and "Nos vemos pronto, gracias" or "See you later. Thanks" as the last line, depending on whether the English or Spanish version of the virus is received.
"As long as companies are updating (anti-virus software) they’ll be okay," said an Australia-based spokesperson. "It’s more likely to hit home users and small businesses, which update less regularly."
A locally-based spokesperson for Symantec noted, however, that the number of downloads for the anti-virus update was average. "Normally, the Symantec Anti Virus Research Center (SARC) gets approximately 1,000 to 2,000 downloads per day, and there hasn't been a sudden surge in (the number of) downloads since SirCam was reported," she said.
"Initially, we rated the virus with a Level 3 threat because the payload is quite wicked...Since the number has grown dramatically overnight (from just a few cases yesterday), it shows that people are not taking the necessary precautions. Therefore, we have moved the SirCam to a Level 4 threat.”
To date, there have been 150 reported submissions to Symantec, mostly from South America and Europe, she added. "In Singapore, we have just received three reports…and none in Malaysia so far.”
However, she admitted that the number of reported submissions does not reflect the actual number of users affected. In just the last few hours, several readers have called or written in to ask about the SirCam virus.
Symantec said it is still unable to ascertain where the virus had originated from.