Back

Latest update: 27 July 2001:

See the CERT advisory for this virus/worm.  It lists important details of SirCam's operation, and how it may delete the entire contents of your hard drive on 16 October:
http://www.cert.org/advisories/CA-2001-22.html

This also lists the sites of various anti-virus companies.

You are one of 7 people whose computer has sent me virus emails in the
last 30 hours.  Some people's computers have sent me the same thing
several times.
 

Each email is 220 to 250 k bytes and comes with one of a few text
messages (as described below) and a large attachment, which is named to
fool people into thinking it is a Word file, a spreadsheet or whatever,
but which is in fact a computer virus which contains one of your files
from your "My Documents" directory.

Your computer is infected with the "SirCam" virus / worm - presumably
because you clicking on an attachment in a virus email you received.

I urge you to:

1 - Disconnect your computer from the Internet.  As long as it is
    connected it is sending out virus emails to people you know
    and who you don't know.  Each virus email contains one or more
    of your personal documents.

2 - Turn your computer off.  The virus is capable of deleting all
    files on your computer - real deletion, not just moving them
    to the Recycle bin.

3 - Find someone who is fully up to date on this new virus who can
    professionally remove it.  I can't advise you how to do this, but
    I have read that if the wrong attempts are made to remove the
    virus then it will delete all your files.

Then, NEVER, click on attachments unless you really know what you are
doing!

The following text will help you understand the situation.

If you connect your computer to the Net, it is your responsibility not
to allow it to send virus emails to other people or do any other such
malicious actions.  Even if you don't understand anything about this, it
is still your responsibility.  It is your responsibility to find out
what you need to learn about computer security in order to protect other
people - and to protect the existence and the privacy of data on your
own computer.

  - Robin
 

In the last 13 hours I have received four virus/worm emails - all from
the computers of people who I have never heard of.  (The virus is sent
without them knowing - it just appears to have come from these people.)

The emails are all about 216 to 239 K bytes long and contain a mixture
of files with extensions such as:

   xxxx.doc.bat
   xxxx.xls.lnk
   xxxx.doc.pif
   xxxx.xls.pif
 

The first part of the email is always of the form:

    Hi! How are you? I send you this file in order to have your advice
    See you later! Thanks

or its Spanish equivalent.

The "xxxx" varies enormously:

     Retail
     (The sender's name) letter to nait
     english 101c HW9
     SMD Producción

are the ones I got so far.  I won't open them, firstly because the files
are infected in some way I don't want to find out about, and secondly
because they are someone else's business spreadsheets, letter and
English homework.

I understand that each of these files does contain another person's
document, but the main bulk of the attached file is the the virus / worm
program itself.  I guess the different personal documents explain the
slight variations in the size of the emails.
 

Here is a link to information about this virus/worm:

  http://www.datafellows.com/v-descs/sircam.shtml
 

Better still: an up-to-date story:
 

http://news.lycos.com/news/story.asp?section=LycosTechnology&storyId=45427

If this URL doesn't work, try:

   http://news.lycos.com/news/

and search for "SirCam".
 

   "SecurityPortal does not believe that SirCam has reached a critical
    threshold yet, but will likely do so within 72 hours," said Ken
    Dunham, senior analyst for AtomicTangerine/SecurityPortal."

A prediction come true!
 

    When activated, the virus randomly chooses whether to take over all
    the unused space on a hard drive by filling it with text, or it may
    delete the contents of the hard drive.

    SirCam worms its way deeply into an infected computer's operating
    system and also changes its identity with each and every infected
    e-mail it sends.

   "SirCam stores several files in the Recycle directory, which is not
    normally scanned by antiviral software,"  Dunham said. "Even if a
    computer is updated against SirCam, it may not scan the Recycle
    directory, potentially resulting in an incomplete mitigation of
    SirCam."
 

There's a fab real-time continent-based virus activity checking site!

   http://wtc.trendmicro.com/wtc/

SirCam is running hot in Europe and America - where my emails came from.
 
 

People who are silly enough to click on the links for these
attachments will bitterly regret it and will soon have their computer
spreading the damn thing - and sending their personal files to people
all around the world.
 

I understand that with the default arrangement of Windows 9x
installation, the File manager does not show the extension of recognised
file types, and that this carries over to Outlook Express.  So people
think they are getting a spreadsheet, a Word file etc., and blithely
clicked their way to computer oblivion.

  (The Win9x fix is Start > Settings > Folder Options > View >
   then select "Show all files" and deselect "Hide file extensions
   for known types".  Win2k is the same, but Start > Settings >
   Control Panel . . . )

The above assumes that people are educated enough to know that clicking
a link to any executable program (.com, .exe, .pif, .bat, .vbs and many
more extensions) is giving complete control of their computer to a
potentially malicious program.  Many people don't even know this, until
it is too late.   Viruses often are names to distract people, such as

   PRETTY-GIRL.JPG.exe

into thinking it is a .JPG file.  If Windows and Outlook Express is
badly configured (as can be the default, then the user sees only:

   PRETTY-GIRL.JPG

What a mess.
 

Virus scanning programs are not necessarily fully protective, since they
cannot be updated fast enough to detect every virus which has just
been released into the wild or mutated into a new form.  Such programs
are probably a good idea, but they must be constantly updated and never
entirely relied upon.  (They can be a damn nuisance too, if they
regularly check the hard drive and upset other programs, such as those
which are recording sound.)
 

I normally only get a virus email every few months, and my address is
known to many people.  To get four in a day is unprecedented.  The
volume alone, a megabyte in 12 hours, if replicated across lots of users
means that this is indeed (in UFO terms) a major flap.

What does it take to rid the world of email programs / operating systems
which hide the true nature of what it is people execute when they click
a link?  This is typical Microsoft fudged thinking showing false things
and hiding important things out of some bizarre idea that this helps
inexperienced users.
 

I have been telling lots of people not to use Outlook Express for a year
or so - or at least to get the updates from Microsoft.  This is because
of the above problem, and also I was told that some versions of Outlook
Express will execute certain kinds of viruses the moment they are
received - without any user intervention and without any chance for the
person to decide not to open the email.
 
 

I don't think many people have updated their Outlook Express.   (I don't
use it, I use Netscape for browsing and email.)  There is an instinct
about "safety in numbers" - which turns out to be diametrically opposed
to reality in this case!  The more your system is as vulnerable as
millions of others, the more infections your system will catch and the
greater the effort will be put in to writing the viruses, worms etc. to
attack your type of system.
 

I think you should never spread a virus warning (or any other warning or
message) just because someone urged you to do so.  If you do this, then
you are likely to be spreading distracting and annoying nonsense!  For
instance, if someone sends you and email urging you to send the email to
everyone you know, and the email is about a new computer virus which
comes with the Subject: line: "How to give your cat a colonic", and you
*do* send the message to everyone on your mailing list, then you have
done them all a great disservice!

Virus Hoaxes are nearly as bad as computer viruses.  See:

  http://www.datafellows.com/virus-info/hoax/

which lists the "Good Times", "Cat Colonic" and many, many more virus
hoaxes.
 

Don't pass this message on to anyone unless you have taken a look at the
news stories and verified for yourself that what is in this message is
based in reality and is a serious enough matter to warrant passing it
on.  It is not my intention to start some kind of anti-viral
chain-letter, even if you think this warning is valid.
 

   - Robin
 

By the way, never send executable programs to other people, or run
any which you receive:

    http://www.firstpr.com.au/security/

      Sending people executable programs by email is the
      computer equivalent of:

          Here's something you have never seen before.  I hadn't
          seen it until recently either.  I have no idea where it
          really came from - someone just gave it to me.  Stick the
          needle into your arm and press the plunger. Its GREAT!!!!