Home & Office

SirCam to target Europe in new attack

The worm is programmed to reinfect PCs set with the European date format on 16 October - and will roll a dice to decide if it will destroy data on infected PCs
Written by Wendy McAuliffe, Contributor

The highly destructive SirCam worm has been programmed to return on its three-month birthday, and Europe will be a prime target for the attacks. The network-aware computer worm will attempt to destroy data on one in every 20 computers that it infects, say experts.

"When an infected computer starts up today, there is a 5 percent chance that SirCam will start to delete all files on the C drive, and remove all files in sub-directories," said Andre Post, senior researcher at antivirus firm Symantec. "It will then try to fill up the hard drive with a fake file, and will expand and take up the full hard drive space."

But the file-deleting payload is only programmed to infect PCs configured with the D/M/Y date format. This will result in regional hits across the globe, placing European PCs in a high-risk category, according to Symantec. "The US will be safe, as everyone has M/D/Y settings -- but in Europe things may be different," said Post.

Antivirus experts at Sophos have dismissed fears of a 16 October attack, claiming that a bug in the virus author's code will prevent the payload from activating. But Symantec is certain that European novice end-users should brace themselves for a return of the destructive SirCam worm. "We know that a lot of these types of viruses contain bugs that can corrupt infections, but the working samples that we have (of SirCam) convince us that there is a one-in-20 chance of reinfection," said Post.

Sircam was first detected on 16 July. Security software firm Trend Micro said it has received reports from 332,000 PCs infected with the worm in the last 30 days. The worm spreads by email and by using open network shares -- if the attachment is opened, SirCam copies itself into the Windows System directory with the filename scam32.exe, and changes the registry key so that it runs on Windows startup. It also contains its own SMTP routine, which is used to send email messages to email addresses found in the infected user's address book and the temporary Internet folder where cached Internet files are kept.

The Poker-like caveat programmed to strike on 16 October is hard-coded for every year. "I am certain that SirCam will still be around next year," said Post.

See the Viruses and Hacking News Section for the latest headlines.

See the Net Crime News Section for the latest on hacking, fraud, viruses and related issues.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards