RE: Win32.Sircam.Worm Alert.....

["Obert, Jack E." <JObert () sprg smhs com>]

It is my understanding that SirCam will look through the html code in your
internet cache directory to pick out e-mail addresses...  This may not be an
intentional distribution since people regularly access their corporate sites
and referenced on those sites are the mail addresses listed below...

 
Jack E. Obert, GSEC 
Technical Information Security Officer 
St. John's Health System 
 


-----Original Message-----
From: Tom Geldner [mailto:tom () xor cc]
Sent: Tuesday, July 24, 2001 11:35 AM
To: 'Johnson, Greg'; vuln-dev () securityfocus com;
SECURITY-BASICS () securityfocus com
Subject: RE: Win32.Sircam.Worm Alert.....




> -----Original Message-----
> From: Johnson, Greg [mailto:JohnsonG () missouri edu] 

> Don't let the e-mail tip-off fool you.
>
> In our University environment we find this and related worms 
> spread primarily via unprotected writeable Windows shares.  It 
> also gets in when a user without up-to-date anti-virus 
> software accesses an e-mail server other than our own which 
> has an anti-virus filter. Bim-ba-boom!

Some of our corporate accounts have been pounded on by a particular user
on verizon.net. None of those e-mail addresses are from someone's
address book. They are all things like info@, webmaster@, postmaster@
etc. so in our case, someone seems to be trying to propogate it
deliberately.

Tom