Top virus threats, part three: Sircam

Here's a look at the inner-workings of the virus Sircam and how to fight it.



This is the third tip in a series.

Viruses are not all created equal. Some cause more damage and some spread quickly to a large number of systems. Fortunately, there are only a few viruses that cause lots of damage and spread quickly. Therefore, most viruses are not a big threat. However, those few viruses that are a serious threat is all the reason you need for a multi-level virus protection and removal system.

To help you understand why virus protection is necessary, let's take a quick look at the top four viruses currently found in the wild ("in the wild" means actively infecting computers around the world via the Internet or other means).

The virus that is generally considered to be the third-worst virus or worm currently circulating networks across the globe is the W32.Sircam.Worm@mm. The threat from Sircam is multi-faceted. It includes its own SMTP server (outbound e-mail server). This built-in e-mail server is used to e-mail random files from a computer to any e-mail address it finds on the local system. Sircam is able to discover e-mail addresses by looking for them in sho*., get*., hot*., *.htm files or in the Windows Address Book files (.wab). The e-mail sent out by Sircam has a random file attached to it (which has been infected with Sircam) and it will have a random subject (often the name of the attached file).

Once a system is infected, the Sircam virus writes itself to several locations on the local hard drive(s) and even alters the local Registry. Sircam is network aware and will attempt to copy itself to other computers on the system using names discovered in the local NetBIOS cache. Built into Sircam is the ability to delete every file from the C drive of a system or to completely consume all free space on a drive. Fortunately, the virus has an error in its programming and these features are rarely activated.

Due to another error in its programming, Sircam does not replicate itself under Windows NT, 2000 or XP. However, it is very effective at replicating on all other Windows OS.

Sircam spreads itself very quickly and even now nearly a year after its discovery, it is still very rampant. Due to its programming errors its damaging effects on infected systems is only moderate.

Most antivirus products are able to detect, remove and disable this virus/worm. However, if your system is already infected, you need to manually clean-up its artifacts to guarantee that you will not remain infected or accidentally infect others. For details on reversing the changes to systems infected by the W32.Sircam.Worm@mm virus, please visit one of the following:
Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html
McAfee: http://vil.mcafee.com/dispVirus.asp?virus_k=99141
TrendMicro: http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_SIRCAM.A


About the author
James Michael Stewart is a researcher and writer for Lanwrights, Inc.
This was first published in April 2002

Dig deeper on Email and Messaging Threats (spam, phishing, instant messaging)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close