Re: Tracking SirCam

["Nick FitzGerald" <nick () virus-l demon co uk>]

woods () weird com (Greg A. Woods) wrote:

>   From an SMTP point of view the headers are part of the body.  The
> savings over filtering just the headers, vs. filtering up to at least
> the the second MIME part in this case, is virtually nonexistant on any
> kind of modern hardware.

Indeed...

> (BTW, I seriously doubt any of the so-called experts who have been
> commenting on the relative impact this worm compared to others before it
> -- so far it's by and far the worst I've ever seen, either in my own
> inbox, or in the way it's affected mail servers, particularly at ISPs.

The magnitude of the ISP effect is probably due to two things...

First, as Greg mentioned, the virus's size is above most previous
(and all "successful??) mass mailers.  The virus itself is approx
135KB then it concatenates a DOC, XLS, ZIP (or JPG (?) found in the
"My Documents" directory) to itself.  The smallest field sample I've
seen so far is just over 200KB.

Second, most corporate sites are relatively unaffected by this.  The 
smart ones have (eventually) resorted to whitelist attachment 
file-type filtering and many of the rest have been lucky enough that 
their scanner has not needed updating to scan .LNK files...  This 
means that the bulk of the effect will be borne by ISPs *and* they 
tend to use "store and forward" (POP) or straight store (IMAP) mail 
systems for their clientele.  Their clientele may also tend to be 
more lax about checking/clearing their Email *and* its probably a 
fair bet that the "dead-account" ratio is much higher on your typical 
ISP/free Email service provider than your typical corporate network.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com