IP: The damage caused by the "W32/Sircam" computer virus is expanding in Japan.

[David Farber <dave () farber net>]

Sircam Virus Widely Spreads
July 27, 2001 (TOKYO) -- The damage caused by the "W32/Sircam" computer 
virus is expanding in Japan.
The computer virus infects Windows 9x. There have been a great number of 
reports from all parts of the world on the damage caused by the virus since 
it was first detected around July 17, 2001. Users and anti-virus software 
houses are busy taking countermeasures against the virus. On July 26, Trend 
Micro Inc. raised its assessment of the danger level of the virus to the 
maximum. On July 25 U.S. time, the CERT Coordination Center , a U.S.-based 
organization, involving the Internet security, issued a warning on the virus.

Sircam sends out files stored in a personal computer without users' 
awareness and erases the data in the hard disk drive. It creates its own 
copies by using both e-mails and network shares. For this reason, it has a 
significantly strong infectious power.

E-mails infected with Sircam contain a message written in either English or 
Spanish. The English version begins with the sentence, "Hi! How are you?" 
It is followed by a seemingly random subject line, for example, "I sent you 
this file in order to get your advice" or "I hope you like the file that I 
sent you." It concludes with the sentence, "See you later. Thanks."

Sircum itself is attached to e-mails with a file name, such as "SirC32.exe" 
and "(certain words).doc.com." When the user opens the malicious attachment 
file, the virus starts infecting. It is difficult, however, for the users 
to notice the infection, because even if the document files are infected, 
users can open the Word files in the same way as usual.

The following is the process of the Sircam infection. First, it copies 
itself in a user's computer system. The virus installs a copy of itself 
into the Recycled folder (C:\Recycled) and Windows system folder. Then it 
creates a copy on the network computer which it has found, and sends itself 
and the files within the computer system through e-mail.

Sircam does not send infected e-mails by using the mail client capabilities 
that the user is using, but uses its own Simple Mail Transfer Protocol 
(SMTP) client capabilities. "Sircam obtains the SMTP information from the 
user's Outlook Express or Outlook, and sends infected e-mails using the 
setting," said an official of Symantec Corp. According to Trend Micro, the 
virus also sends e-mails by using a SMTP server on the Internet that the 
users have set up beforehand for their own use.

Sircam obtains e-mail addresses from two sources and sends infected e-mails 
to the addresses. One of the sources is the address book in Windows which 
has the extension of "wab" (Windows Address Books). The other is the cache 
where the HTML files accessed by the user by using a Web browser are 
stored. "Sircam sends infected e-mails to addresses on all Web sites that 
the user accessed by using a Web browser, including bulletin boards," said 
an official of Japan Computer Research Center. This is one of the reasons 
why the virus is spreading indiscriminately. Sircam takes in the files with 
extensions, such as "doc," "xls," "zip" and "exe," in the Desktop and My 
Documents folders, and sends them as attachment files via e-mail.

Anti-virus software houses, including Trend Micro and Symantec, are 
distributing on their Web sites tools for getting rid of Sircam. It is 
advisable that users promptly update the data of anti-virus software which 
is installed in their PC and not open files attached to e-mails unless 
absolutely necessary.



For archives see: http://www.interesting-people.org/