Interesting People mailing list archives
IP: The damage caused by the "W32/Sircam" computer virus is expanding in Japan.
From: David Farber <dave () farber net>
Date: Fri, 27 Jul 2001 08:21:15 -0400
Sircam Virus Widely Spreads July 27, 2001 (TOKYO) -- The damage caused by the "W32/Sircam" computer virus is expanding in Japan. The computer virus infects Windows 9x. There have been a great number of reports from all parts of the world on the damage caused by the virus since it was first detected around July 17, 2001. Users and anti-virus software houses are busy taking countermeasures against the virus. On July 26, Trend Micro Inc. raised its assessment of the danger level of the virus to the maximum. On July 25 U.S. time, the CERT Coordination Center , a U.S.-based organization, involving the Internet security, issued a warning on the virus. Sircam sends out files stored in a personal computer without users' awareness and erases the data in the hard disk drive. It creates its own copies by using both e-mails and network shares. For this reason, it has a significantly strong infectious power. E-mails infected with Sircam contain a message written in either English or Spanish. The English version begins with the sentence, "Hi! How are you?" It is followed by a seemingly random subject line, for example, "I sent you this file in order to get your advice" or "I hope you like the file that I sent you." It concludes with the sentence, "See you later. Thanks." Sircum itself is attached to e-mails with a file name, such as "SirC32.exe" and "(certain words).doc.com." When the user opens the malicious attachment file, the virus starts infecting. It is difficult, however, for the users to notice the infection, because even if the document files are infected, users can open the Word files in the same way as usual. The following is the process of the Sircam infection. First, it copies itself in a user's computer system. The virus installs a copy of itself into the Recycled folder (C:\Recycled) and Windows system folder. Then it creates a copy on the network computer which it has found, and sends itself and the files within the computer system through e-mail. Sircam does not send infected e-mails by using the mail client capabilities that the user is using, but uses its own Simple Mail Transfer Protocol (SMTP) client capabilities. "Sircam obtains the SMTP information from the user's Outlook Express or Outlook, and sends infected e-mails using the setting," said an official of Symantec Corp. According to Trend Micro, the virus also sends e-mails by using a SMTP server on the Internet that the users have set up beforehand for their own use. Sircam obtains e-mail addresses from two sources and sends infected e-mails to the addresses. One of the sources is the address book in Windows which has the extension of "wab" (Windows Address Books). The other is the cache where the HTML files accessed by the user by using a Web browser are stored. "Sircam sends infected e-mails to addresses on all Web sites that the user accessed by using a Web browser, including bulletin boards," said an official of Japan Computer Research Center. This is one of the reasons why the virus is spreading indiscriminately. Sircam takes in the files with extensions, such as "doc," "xls," "zip" and "exe," in the Desktop and My Documents folders, and sends them as attachment files via e-mail. Anti-virus software houses, including Trend Micro and Symantec, are distributing on their Web sites tools for getting rid of Sircam. It is advisable that users promptly update the data of anti-virus software which is installed in their PC and not open files attached to e-mails unless absolutely necessary. For archives see: http://www.interesting-people.org/
Current thread:
- IP: The damage caused by the "W32/Sircam" computer virus is expanding in Japan. David Farber (Jul 27)