Date: Mon, 30 Jul 2001 13:57:40 -0400 (EDT) From: BCPL.NET SysAdmin To: BCPL.NET News Subject: BCPL.NET NEWS: Virus Alert ----------------------------- SIRCAM WORM SPREADING RAPIDLY ----------------------------- A virus (actually a worm) known as "SirCam", "W32/SirCam@MM", "I-Worm.SirCam", and similar names is currently the fastest spreading PC virus on the Internet. SirCam is a mass-mailing worm that attempts to send itself to all e-mail addresses in an infected PC's Windows Address Book and to e-mail addresses found on Web pages in the infected PC's Web browser cache. The e-mail messages sent by SirCam have the following message text. If you receive such a message, delete it. The simple act of reading it will not infect your PC, but DO NOT open the file attachment! -------- Hi! How are you? I send you this file in order to have your advice (or I hope you can help me with this file that I send) (or I hope you like the file that I sendo you) (or This is the file with the information that you ask for) See you later. Thanks -------- The message may also be received in Spanish: -------- Hola como estas ? Te mando este archivo para que me des tu punto de vista (or Espero me puedas ayudar con el archivo que te mando) (or Espero te guste este archivo que te mando) (or Este es el archivo con la información que me pediste) Nos vemos pronto, gracias. -------- The address on the message's "From:" line may well be someone known to you, but this does not mean he/she sent it to you on purpose. SirCam operates in the background on the infected PC, so the "sender" is completely unaware that infected e-mail is being sent under his/her name. The message includes a file attachment, which is what actually carries the virus. It consists of a document taken from the infected PC (usually from the "My Documents" folder), with the virus code added to it and an extra extension added to the original file name. For example, if the original file name was "myfile.doc" (a Microsoft Word document), the infected file might be named "myfile.doc.exe". The added extension can be .exe, .bat, .com, .lnk, or .pif. The following happen if the recipient opens the file attachment: o The original document is opened using the appropriate application if present on the recipient's PC. For example if the original file was "myfile.doc", it will be opened in Microsoft Word or WordPad. This masks what the virus is really doing. However it also poses a potential security or embarrassment risk if the "My Documents" folder on the infected PC contains documents of a sensitive nature. o In the background SirCam infects recipient's PC, which starts sending out infected e-mail of its own as described above. o If the infected PC is on a local area network, SirCam searches for other PCs on the network with file sharing enabled and unsecured. If such a PC is found on the network, SirCam attempts to infect it. The usual e-mail method of transport is not used in this case. For more information about SirCam, see: http://vil.mcafee.com/dispVirus.asp?virus_k=99141& http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html http://www.F-Secure.com/v-descs/sircam.shtml If you don't have an anti-virus program on your PC, you should seriously consider getting one. This is very important for any Internet-connected computer. The two most popular are McAfee VirusScan and Norton Antivirus, but there are others. If you already have anti-virus software installed, make sure its "virus description database" is up to date. The virus description database is what tells the anti-virus program what to look for when it scans for viruses, and how to eradicate any that it finds. New PC viruses are discovered "in the wild" almost every day, so anti-virus software publishers periodically issue updated versions of their databases. Most anti-virus programs have a built-in "update" function of some kind. Use it! Your anti-virus program cannot protect your computer against recent viruses if it is using an outdated virus description database! If you don't know how to make your anti-virus program do an update, see the manual, or go to the publisher's Web site, or contact the publisher's Help Desk for assistance. Add the following URLs to your Internet Explorer favorites list or your Netscape bookmarks list. Use them to look up definitive information about viruses and virus hoaxes. F-Secure: http://www.F-Secure.com/virus-info/ McAffee: http://vil.mcafee.com/ Symantec: http://www.symantec.com/avcenter/ Above all, NEVER open an e-mail file attachment unless you are expecting it and can confirm with the sender that it is actually what you were expecting from him/her. -- BCPL.NET INTERNET SERVICES 320 York Road Towson, MD 21204-5179 U.S.A. CONTACTS: -------- Web Site: http://www.bcpl.net Administration & Policy: ispadmin@bcpl.net 410-887-6180 Sales, Renewals, Account Status: accounts@bcpl.net 410-887-4172 Technical Support (Help Desk): help@bcpl.net 410-887-3297 Usenet News Newsgroup Requests news-admin@bcpl.net 410-887-6180 E-Mail & Newsgroup Abuse Reports: abuse@bcpl.net 410-887-6180 Domain Name Service Issues: dnsadmin@bcpl.net 410-887-6180 FAX: 410-887-2091