New e-mail virus uses disguises to spread quickly

July 25, 2001

A wicked "worm" is crawling through Connecticut computers clogging e-mail, scattering private files and threatening to expunge whole disks of data.

The worm's official name is "Sircam," but a sneaky bit of virus crafting disguises its identity. Sircam spreads fast, but isn't a highly destructive computer virus -- yet. Users will know more on Oct. 16, when Sircam promises to obliterate certain hard drives. Currently the worm is tying up businesses and universities.

"This is a big one, based on the number of machines affected and the speed at which it spreads," said Stephen Trilling, director of research at the Symantec Viral Research Center in California.

Symantec specializes in computer security and produces Norton Anti Virus software.

H. Morrow Long, computer security officer at Yale University, said Tuesday he had been fielding a steady stream of Sircam queries.

"Quite a few people at Yale got a lot of Sircam e-mail," Long said. "It's disruptive."

Sircam's most worrisome tactic may be a mindless invasion of privacy as the worm plucks files and sends them around the world.

Sircam arrives in your e-mail with an innocuous return address. Not one likely to arouse suspicion.

Inside the e-mail are a message and an attachment.

The attachment carries Sircam's secret payload, a small program written in the computer language "C."

The e-mail says "I send this file in order to have your advice," or "This is the file with the information you asked for," or another of the several come-ons.

Sometimes the message is in Spanish.

If you delete the whole e-mail at this point, no harm done. Sircam will sit helplessly in your recycle bin. Do not -- DO NOT -- open the attachment. A double click on the attachment unleashes Sircam, which immediately flips through the computer's e-mail address book. The malicious software randomly picks files from your C drive, tacks them onto the attachments, and dispatches them to the addresses.

Depending on what you store there, it could be a resume, a file containing credit card numbers, a torrid love letter, or other material not intended for public scrutiny.

The target recipient sees e-mail from someone he knows or from a blameless person whose address was swept into the mess.

The e-mail is not from "Sircam" nor does it carry a signature message such as "I love you" (a la the "I Love You virus).

Sircam doesn't stop there. The worm nestles into the "registry" file in the PC.

The registry contains all sorts of cyber stuff, including instructions necessary to run programs.

Sircam inserts a hidden line of code that's activated when a program is run. The line tells the computer "Find Sircam and run it again."

Sircam apparently conks out after 8,000 runs. If you don't have an e-mail address book, Sircam will search for any address on your C drive. Once every 34 attacks or so, Sircam fills the hard drive with junk. That's not too bad.

On October 16, Sircam will strike infected computers using the European day/month/year date format. Everything on the C drive will be deleted.

To fight Sircam and other Trojan horses, worms, viruses, and bombs, do not open unexpected attachments, Long said.

If you're expecting an e-mail plus attachment double check with a phone call before you click, he said.

Symantec has updated Norton Anti Virus to dispose of Sircam. Download and run, Trilling said.

If you use a different anti-virus program check with the manufacturer.

Unless you are a knowledgeable computer expert, do not attempt to edit lines in the registry, assuming you could find it, Trilling and Long said.

Excise the wrong line and you've transformed your computer into a big paperweight.