Don't Get Mad At SirCam, Get Even

[InfoSec News <isn () c4i org>]

http://www.newsbytes.com/news/01/169522.html

By Brian McWilliams, Newsbytes
GIVAT SHMUEL, ISRAEL,
29 Aug 2001, 10:11 AM CST
 
A new tool offers relief for computer users still plagued by e-mails
infected with the file-stealing SirCam worm or who have voyeuristic
tendencies.

ClipSirc is a tiny DOS utility that automatically dissects the data
files that come attached to messages generated by SirCam. Developed by
Israeli anti-virus vendor Invircible, the free tool strips the worm's
installation code from the legitimate document it uses as a Trojan
horse.

First reported in mid-July, SirCam spread widely by duping unwary
Internet users into clicking an e-mail attachment that contains a file
harvested from the "My Documents" folder on an infected sender's PC.

Despite receiving widespread media attention, the worm continues to
infect new users today, as they fall for SirCam's lure: "I send you
this file in order to have your advice." In fact, most anti-virus
vendors still consider SirCam a high risk. Symantec, for example,
recently upgraded the worm to the firm's highest threat level because
of an increased rate of submissions from users.

According to Invircible's Zvi Netiv, recipients of SirCam-generated
messages who attempt to contact the senders often encounter denial.
Netiv said Invircible developed ClipSirc to give innocent users a way
to prod SirCam victims into cleaning up their act.

"Returning them their own document or worksheet helps get fast results
and stops the leak. The stripped attachment can be instrumental in
convincing the parties that drastic measures are necessary," said
Netiv.

Invircible has received hundreds of documents sent by SirCam-infected
users, many of them confidential, according to Netiv. Among the
documents are a 60-page business plan from a Hong Kong company;
detailed patients' medical reports from a hospital in Mexico; the
entire customer list of a company that sells precious stones; and a
file from a school principal in Wisconsin containing very personal
student records.

Newsbytes has received several considerably less interesting
documents, including multiple copies of a Word document that contains
a poem entitled, "The Pig Farmer Hangover."

Last month, an FBI analyst became infected by the worm and had several
documents, including one marked "Official Use Only," e-mailed out to
numerous recipients.

While most anti-virus software can detect and block the worm from
infecting a computer, the often-hefty file attachments can be slow to
download or can overflow mailbox quotas.

According to Netiv, the ClipSirc utility analyzes an infected e-mail
attachment and identifies the beginning of the data file through
pointers embedded in the worm's header. It then determines the type of
data that was appended and extracts it to disk with the appropriate
file extension.

ClipSirc can salvage SirCam-infected files in the following formats:
.DOC, .XLS, .JPG, and .ZIP, according to Netiv. SirCam is also capable
of mass-mailing files in the .EXE, .COM, .LNK, .PIF, and .BAT format.

To use ClipSirc, users should download the program to a dedicated
directory, according to Invircible. Attachments from SirCam-infected
messages should be placed in the same directory. (Users may have to
disable their anti-virus software to handle the infected files.)

Double-clicking on the ClipSirc icon will cause the program to clean
the data files contained in the attachments and extract them to the
same directory. Invircible cautions users not to activate the infected
attachments directly or they will risk catching SirCam.

If waving a confidential document doesn't get infected users'
attention, they may get their comeuppance soon. According to Symantec,
on Oct. 16, SirCam will on some systems delete all files and
directories on the infected computer's C drive.

ClipSirc is available for download here:

http://www.invircible.com/download/tools/clipsirc.exe .

Symantec's write-up on SirCam is at

http://www.sarc.com/avcenter/venc/data/w32.sircam.worm () mm html .



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.