Vulnerability Development mailing list archives

Re: Win32.Sircam.Worm Alert.....

From: Martin Lindquist <martin () phreakproductions cjb net>
Date: Tue, 24 Jul 2001 17:13:35 +0200

Today I received two e-mails with the mentioned attachments, although
from people I have never heard of before. Since I'm fighting SPAM every
single day, I don't open attachments in e-mails from unknown senders
(some people seem too happy to get e-mail and think everyone who sends
them one is a good guy), but I recognised the text and thought I'd drop
a line about the e-mail I received a couple of days ago, more precisely
Thursday 19th. It's the same mail, with one big difference; it's in
spanish:

| Hola como estas ?
| 
| Te mando este archivo para que me des tu punto de vista
| 
| Nos vemos pronto, gracias.

I don't know much spanish, but it looks to me as a direct translation of
the english version. Subject line was "WOWWWWWWWW" and the attached
(suspected evil) file is named "WOWWWWWWWW.doc.com".

 / Martin Lindquist

--
email:marine () trouble net
email:martin () phreakproductions cjb net
phone:+46-70-490 79 03

EPiC wrote:


Friday morning I recieved an email from a friend,  it looked as though he
was sending me a .doc to look over. To my dismay, it was a worm that had
infected him.

I have found little information about this worm,  Mostly located at
http://www.symantec.com/avcenter/venc/data/w32.sircam.worm () mm html

The Worm will come from someone that has you on there contact list, and will
have a differnt subject line determined by the attached file.

The text will read in english as:

Hi! How are you?

I send you this file in order to have your advice

See you later. Thanks

----------------------------------------------------------------------------
----

****

The link i posted above has a program that will remove the worm,  I would
suggest using that rather than deleting it yourself,  I found that I was
renaming regedit.ext to regedit.com to even open regedt.  The worm tries to
run any executables through it's own shell code.

This being my first real post to Bug-traq I would like feedback.  Any
questions, hate-mail, death-threats etc can be sent off to epic () hack3r com

thank you

EPiC
hack3r.com

Current thread:

Update to "Code Red" Worm. Its a date bomb, not time. Marc Maiffret (Jul 19)
- RE: Update to "Code Red" Worm. Its a date bomb, not time. c0ncept (Jul 19)
  - Re: Update to "Code Red" Worm. Its a date bomb, not time. Ryan Permeh (Jul 19)
  - A code red that could bring down the net? josh abulamhammedramashi (Jul 22)
    - RE: A code red that could bring down the net? Jason Lewis (Jul 23)
    - Win32.Sircam.Worm Alert..... EPiC (Jul 23)
    - Re: Win32.Sircam.Worm Alert..... H D Moore (Jul 24)
    - Re: Win32.Sircam.Worm Alert..... Martin Lindquist (Jul 24)
    - Re: Win32.Sircam.Worm Alert..... horape (Jul 25)
    - Re: Win32.Sircam.Worm Alert..... Pete Sherwood (Jul 25)
    - Re: Win32.Sircam.Worm Alert..... Miguel Angel Rodriguez Jodar (Jul 25)
    - multi-OS infections (was Re: A code red that could bring down the net? Meritt James (Jul 23)
    - Re: multi-OS infections (Multi OS shellcode) Riley Hassell (Jul 24)
    - Re: multi-OS infections (Multi OS shellcode) Damir Rajnovic (Jul 25)
    - Re: multi-OS infections (Multi OS shellcode) corecode (Jul 25)
    - RE: A code red that could bring down the net? Dom De Vitto (Jul 23)
    - Re: A code red that could bring down the net? Birger Toedtmann (Jul 23)
    - Re: A code red that could bring down the net? Michael Tench (Jul 23)

(Thread continues...)