New virus preys on e-mail address books

July 28, 2001

NORMAL — The e-mail seeks your advice, but experts offer this thought: Don't.

An easily spread computer virus dubbed "W32/SirCam" hit the Illinois State University campus and other places this week, but isn't as destructive as the "Melissa" or "I Love You" viruses.

Carla Birckelbaw, ISU's director of computer infrastructure support services, said the virus comes attached to an e-mail letter that asks the recipient to view an attachment and provide advice.

"It looks like it could legitimately be from someone sending you something you need to take a look at," she said. "But our advice is don't look at it."

As with most viruses, Birckelbaw said, simply reading the e-mail message does not infect a computer system. The virus is released when a user double-clicks to open the attachment.

Once that happens, W32/SirCam is sent to everyone in the user's address book. "It's a virus that preys on address books," Birckelbaw said. "It uses the address books on the recipient's computer to replicate itself."

W32/SirCam randomly chooses a document from a user's hard drive and takes that as its attachment, so the attachment has random names that can't be filtered by a server. It also looks more legitimate.

The virus has been "fairly widespread" at ISU, but it has been more annoying than destructive.

"When people have opened it on campus, generally they can't boot up their machine for a while," she said. "But it doesn't delete system files or document files. Everything is recoverable, but it's time-consuming."

Birckelbaw does not know how many ISU computers have been affected by the virus, and university officials do not know where it originated. It showed up Monday night and Tuesday morning, she added.

All university workers have been provided with virus protection software. As long as they use it correctly and update it when necessary, she said, they will be safe from the virus.

ISU is also using telephones, faxes and its Web site warning center (www.ilstu.edu/alerts) to warn staff against opening suspicious attachments. A message regarding W32/SirCam first was posted Tuesday.

The university expects to have all computers cleared within a week or two.

State Farm Insurance Cos. was warned about the virus July 17 by its software vendors, said spokeswoman Ana Campain-Romero.

Three or four specialists at State Farm started working on it, said Campain-Romero, and by the next day had developed a program to protect the company's computers.

At Country Insurance & Financial Services, "it has knocked on our door, but we have not let it in," said spokeswoman Cathy Oloffson. "Our virus protection has detected it and quarantined it." Computer specialists at Country called it "Code Red," she said.

"I'm told our virus protection has been working overtime," she added. "The number of attempts have doubled, which they (computer specialists) attribute to Code Red."

At Mitsubishi Motor Manufacturing of America, "the systems department was aware of it and made employees aware of it, but we have not seen it," said spokeswoman Krystal Peasley.

E-mail users at The Pantagraph began to see the virus attachment as early as last week but generally have not opened it.