New e-mail virus loose on the Net

July 30, 2001

If your mom never told you, she should have: Don't open e-mail attachments, especially from strangers and especially if you don't know what's in them.

Another computer e-mail worm virus--a seemingly friendly one known as the SirCam virus--has been arriving in e-mail boxes in the past week or so and wreaking damage, including stealing sensitive files and spreading them around the Net and crashing the systems of the unsuspecting.

''This is something quite new,'' said Ofer Elzam, senior security expert with Aladdin Knowledge Systems, a digital security company with its U.S. headquarters in Arlington Heights. ''It has had an amazing impact in a few days.''

The e-mail typically comes with a greeting: ''How are you? I send you this file in order to have your advice. See you later. Thanks.'' There's a Spanish version, too.

There's more on it available at www.sarc.com/avcenter/venc/data/w32.sircam.worm@mm.html.

Attached to the message is a file with a PIF, LNK, COM or BAT extension, which were used in old DOS operating systems.

Delete these messages. Do not open the attachments.

The virus apparently hasn't caused huge problems for major businesses with industrial-strength virus protection.

Todd Mollerup, director of system services at Divine Inc., the hosting portion of the Chicago tech company, which provides messaging services to 4,000 people, said companies should protect against such problems with filtering software at their e-mail network as well as on desktops to halt viruses picked up when employees go outside the firewall and use Web-based e-mail. ''You should protect against viruses at all levels,'' he said.

However, the SirCam virus, which originated in Mexico, typically poses more problems for home computer users, Elzam said.

Once it's launched, SirCam seeks out documents, in the Word word-processing program or spreadsheets from Xcel. The virus also goes through cached information to see what Web sites the computer user has visited and picks up e-mail addresses from there.

The virus, unlike the notorious Love Bug virus last year that attached itself to Microsoft e-mail programs, contains its own e-mail engine, Elzam said.

SirCam has e-mailed sensitive documents, such as client lists and internal company reports. Elzam said savvy computer users could disable the virus and then open the confidential documents.

However, more typically, the virus is set loose and either starts deleting files or filling up computer memory until it reaches capacity and crashes. Computer owners then may have to reformat their hard drives and start over.

The virus contains a ''payload'' aimed at deleting all files on a computer's hard drive on Oct. 16.

Elzam said his own company, which has 320 employees, blocked more than 1,000 messages containing the virus.

Computer users can copy and paste portions of the virus' e-mail message into their e-mail program's filter to automatically remove the messages. All computer users should use antiviral software and update it regularly.