Re: Win32.Sircam.Worm Alert.....

["Pete Sherwood" <petersherwood () home com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - ----- Original Message -----
From: "EPiC" <epic () hack3r com>
To: <vuln-dev () securityfocus com>; <SECURITY-BASICS () securityfocus com>
Cc: "ProgramJammer" <programjammer () hack3r com>
Sent: Monday, July 23, 2001 2:08 PM
Subject: Win32.Sircam.Worm Alert.....


> Friday morning I recieved an email from a friend,  it looked as though he
> was sending me a .doc to look over. To my dismay, it was a worm that had
> infected him.
>
> I have found little information about this worm,  Mostly located at
> http://www.symantec.com/avcenter/venc/data/w32.sircam.worm () mm html

In the Anti-Virus arena, that write up is considered a lot ;-!

> The Worm will come from someone that has you on there contact list, and
will
> have a differnt subject line determined by the attached file.

Not always. If you have one or more email addresses on web pages the worm
has
the ability to extract email addresses from Web-Browser cache entries. I've
personally chatted with some who has had that happen and seen several
postings
in the NetNews Group alt.comp.virus already.

> The text will read in english as:
>
> H i !   H o w   a r e   y o u ?
>
> I   s e nd   y o u   t h i s  f i l e  i n   o r d e r   t o  h a v e  y o
u r   a d v i c e
> S e e   y o u   l a t e r .   T h a n k s

Take note of this item in the write up!

* Message: The message body will be semi-random,
* but will always contain one of
* the following two lines (either English or Spanish)
* as the first and last sentences of the message.
*
* Spanish Version:
* First line: H o l a   c o m o   e s t a s   ?
* Last line: N o s   v e m o s   p r o n t o ,   g r a c i a s .
*
* English Version:
* First line: H i !   H o w   a r e   y o u ?
* Last line: S e e   y o u   l a t e r .   T h a n k s

[NOTE: I had to add spaces as my ISP has put
blocks on those phrases already : ( ]

Since it will always [get your grains of salt!!!] contain the English or
Spanish statements, then mail program rules could be distributed
in an effort to keep the gullible from getting infected.
At the same time, see if the gullible are willing to update
their Anti-Virus signatures as well.

PS: I am adding this discussion to the FOCUS-VIRUS () securityfocus com
forum as this is virus related thread.

Pete Sherwood
613-260-0612 (home/office)
613-591-8900 ext. 525 (voice-mail)
PGP and Thawte digital keys available @
http://members.home.net/petersherwood/


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO17bdbomytMtxLfsEQK/+gCg8pDeCcLE4O2UyqsvdVfSFZQ3vNwAn2DW
OC3Fjl4IXnidhveCHYBD2oEQ
=4ceh
-----END PGP SIGNATURE-----