Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Sircam

From: "EPiC" <epic () hack3r com>
Date: Fri, 27 Jul 2001 10:28:22 -0600
I use snort IDS (snort.org) and have written rules to block it..   Also..
it is simple to put the body of the message in postfix mail filtering
rules..  block it at the mail server leval.

Any questions on how I have done this can be directed to epic () hack3r com

EPiC
hack3r.com
----- Original Message -----
From: "Stan Lee (OBU-MY)" <Stan_Lee () trend com tw>
To: "Dom De Vitto" <dom () devitto com>
Cc: <vuln-dev () securityfocus com>; <SECURITY-BASICS () securityfocus com>
Sent: Thursday, July 26, 2001 10:08 PM
Subject: RE: Sircam



Hi all,

do you guys think that scanning and cleaning is what you need you do for
this virus??? What if i suggest to STOP the coming of this virus at

all????


You should use a solution that sit on the internet gateway, right after

the

firewall, to STOP all troj_sircam.A at the gateway..

for more detail please visit Trend Micro's site at : www.antivirus.com

Stan

-----Original Message-----
From: Dom De Vitto [mailto:dom () devitto com]
Sent: Friday, July 27, 2001 2:44 AM
Cc: vuln-dev () securityfocus com; SECURITY-BASICS () securityfocus com
Subject: RE: Sircam


Can I suggest that everyone vaguely interested go to the Symantec site
and look up the details - it's a complex thing SirCam, and does a lot
in a lot of ways.

e.g. Scans the Temporary Internet Files for any files containing email
addresses....

Dom
-----Original Message-----
From: Kimberly Anne McKinnis [mailto:elf () nauticom net]
Sent: 25 July 2001 21:15
To: Tom Geldner
Cc: 'Johnson, Greg'; vuln-dev () securityfocus com;
SECURITY-BASICS () securityfocus com
Subject: Re:Sircam



From what I've read, it looks for any email addresses on the system, not

just in address books. So if webmaster@ was posted on a webpage somewhere,
that may be the cause.

This subject line is causing some peoples mail servers to reject the mail.
Somehow I doubt the real virus is actually going to send with that

subject.


Tom Geldner wrote:


-----Original Message-----
From: Johnson, Greg [mailto:JohnsonG () missouri edu]



Don't let the e-mail tip-off fool you.

In our University environment we find this and related worms
spread primarily via unprotected writeable Windows shares.  It
also gets in when a user without up-to-date anti-virus
software accesses an e-mail server other than our own which
has an anti-virus filter. Bim-ba-boom!


Some of our corporate accounts have been pounded on by a particular user
on verizon.net. None of those e-mail addresses are from someone's
address book. They are all things like info@, webmaster@, postmaster@
etc. so in our case, someone seems to be trying to propogate it
deliberately.

Tom


--
kimmie mckinnis
http://www.starjewel.org
icq:186072/aol:starbreiz
Previous By Date Next
Previous By Thread Next

Current thread: