Two computer viruses making rounds
July 20, 2001
ATLANTA, Georgia Anti-virus experts are warning of two computer bugs, one targeting the White House site with a Web attack, while the other is rated a "medium risk" to users because the number of infections is rising quickly.
However, neither virus has particularly damaging capabilities.
A computer worm known as "Code Red" was unleashed on nearly 100,000 Web servers Thursday, posing a risk of deleted files and slow performance, computer security experts said. One of its intended targets, they said, was the White House Web site.
A computer worm is a program that propagates itself by attacking other machines and copying itself to them.
But computer experts said home Internet users would probably not be affected, and there is no cause for panic. Dozens of new worms and viruses are released each week.
They said this particular worm does have some destructive payload, meaning it can destroy or delete some files, but the major problem it is causing is a degradation of performance and some system instability. For example, it could cause slowdowns in business networks that have been affected. It can also result in altered or garbled Web pages.
An analysis of the worm program by network protection company eEye Digital Security said the infected computers were programmed to hit the White House Web site Thursday evening with a "denial of service" attack, and could potentially slow parts of the Internet to a crawl.
However, Keynote Systems, which monitors the 'whitehouse.gov' site, said the site was immunized against the worm and is operating just fine, with a 95 percent availability to those who try to access it.
One expert said computer security analysts have been aware of the worm for a couple of weeks, but it was moving fast.
"We've seen this worm spread quickly to a significant number of machines," said Jeffrey Carpenter, a coordination manager for CERT. CERT is a clearinghouse for computer intrusions, based at Carnegie Mellon University in Pittsburgh.
Only Web servers with a particular configuration of Microsoft Windows, known as IIS, are vulnerable to this attack. A patch, or fix, is available via CERT at www.cert.org, or through a number of other virus protection companies.
Invasive worm sends out personal files
Meanwhile, a troublesome worm called "Sircam" is also making the rounds. Although it has been known about for some time, several anti-virus companies have raised a warning flag due to the speed at which it is now spreading.
Sircam is a mass mailing virus that uses Microsoft Outlook Express to distribute itself, according to Trend Micro. It attempts to evade detection by arriving with a random subject line and an attachment by the same name.
But Sircam is particularly nasty since it can send out personal documents saved on the hard drive.
F-Secure's anti-virus warning described Sircam's message like this:
Subject: Document file name (without extension) From: [firstname.lastname@example.org] To: [email@example.com]]]> 5
I send you this file in order to have your advice
See you later! Thanks
Once a computer is infected, Sircam creates a list of files with extensions such as .DOC and .JPG that are located in the user's "My Documents" folder. The virus then sends copies of itself to users in the victim's address book, including one of those files chosen at random.
"Since quite often users keep their personal or company-related documents there, it means that the worm can send out confidential information," states the F-Secure Web site.
Anti-virus firm Symantec had elevated its warning level Thursday from a 3 to a 4 on a scale of 1 to 5, while others designated it as a "medium" risk.
When Sircam is run, it copies itself to the Recycling Bin, sets up a directory called 'c:\recycled\SirC32.exe' and appears as 'SCam32.exe' in the Windows system directory. This way the worm's activity is disguised.
Despite its intrusive nature, Sircam appears to do little in terms of deleted files, the anti-virus companies stated.
Instructions on how to remove Sircam from an infected computer are posted on most anti-virus Web sites.
"The trick with all these attacks is, when does it rise to the level of being noteworthy?" asked Ben Venzke, a security expert at iDEFENSE in Fairfax, Virginia.
Experts said the Code Red and Sircam worms are nowhere near legendary predecessors like the "ILOVEYOU" worm or "Melissa" virus.
Venzke says even the most meticulous system administrators have a hard time keeping up with all the patches and fixes necessary.
"We're going to have to come to a time when we do something more than just constantly react to these attacks," he told CNN.
CNN.com Sci-Tech Editor Daniel Sieberg contributed to this report.
Copyright © 2001 Cable News Network LP, LLLP.