The W32/SirCam@MM Virus Gets Lucky

Last significant update: 07 August, 2001

This information can be freely reproduced in any medium, as long as the information is unmodified.

The W32/SirCam@MM virus was discovered on 17 July, 2001; the next day's VirusScan definitions (4148, announced at U-M on 18 July, 2001) protected our users against this new virus.

Note:Like all other (pure) W32 viruses, SirCam can only infect Windows 32-bit code. Hence it cannot infect Macintoshes, although Mac users may well see plenty of these in their mailboxes. Moreover, it seems not to affect Windows NT or Windows 2000 systems, at least not via its email vector.

Other antivirus product vendors released updated definitions in the same time frame.

Unfortunately, many people around the world appear not to have been protected, because this virus has spread rapidly. While new viruses appear daily, most don't get lucky and become a problem; SirCam has, and since it includes user documents in its email, there is a security issue as well: if you get infected, your personal and company documents may be getting mailed around the world....

The virus spreads by capturing email addresses from the addressbook of the compromised computer, and sending itself to those addresses, after attaching to a file in the "My Documents" folder. Infected email is easily recognized by the body text:

> Hi! How are you? 

> I send you this file in order to have your advice 

> See you later. Thanks 

The message may also appear in Spanish.

In either event, an attachment of some 137 KB, plus the size of the attached document, will be included. I've seen the files range up to 5.32 MB (!!), but they could be larger: whatever is there for it to infect....

The virus also attempts to spread on computer networks, via open shares.

Of course, the victims could have stayed virus-free if they had obeyed the rules we've stated many times in these pages:

   The Prime Directives of Safe Hex:

   1. NEVER ACCEPT UNSOLICITED ATTACHMENTS, even from those you know and
      trust.

   2. Get top quality antivirus software, install it, and USE it.

   3. Keep said software updated, preferably at least once a week.

   4. Avoid crappy emailers that allow active content, like the Microsoft
      Outlook variants.  Otherwise, you WILL get bitten by junk like this.

What to do if you get email infected with SirCam? You have several options:

1. Just delete the message; this is the safest course.

2. Reply to the sender, and to abuse@{the sender's ISP}, including email headers but not the virus itself, and request that the problem be fixed. Note that sometimes the sender's From: field is invalid; that's why you would contact the abuse folks.

3. If you do contact user and ISP, you may want to point them to this web page, so that they may contact us if they need further assistance.

4. Though you should never send hostile code to anyone you don't know and trust, if you find yourself getting hammered from a particular address, perhaps I can figure out who it is. Email me and we'll work out something.

In any event, the key thing is to have up-to-date antivirus software on your machine, so that you are protected even though you may get lots of these in your Inbox.

Worse, what if you manage to get infected by it?

1. First, disconnect your computer from the Internet

2. Next, remove the virus; we recommend doing this after booting from a floppy, and using a DOS-only antivirus scanner.

   • If you don't already have antivirus software, you'll need to get it -- and to make it current. Do this on an uninfected computer; then take the updated antivirus program to your computer to clean it. One option is F-PROT, which is excellent, free for individual, noncommercial home use, and on many web sites -- including ours [make sure you get at least version 3.10.]

   • If you have antivirus software but don't know whether it is current, contact your anvirus vendor's tech support.

   • At U-M, the most recent version of VirusScan can be checked thus: right-click on the VShield icon in the System Tray (by the clock), and choose . If you're current, it'll say "VirusScan w/SP 4.5.0.534" , and then list the definitions version (4.0.4151 as of this revision to the web page on 07 August, 2001) and engine (4.1.40). If it doesn't say "with SP", then you need to install the Service Pack; if it has a smaller def of engine version number than the one cited above, you need to install the current SuperDAT. These are linked on our web site at http://www.umich.edu/~virus-busters/vsdl.html

   • Most vendors have "stand-alone" antivirus programs that can remove SirCam. The disadvantage is that they cannot remove some 58,000 other viruses that exist today at the same time, but this is another alternative. Since I have not tested any of these products, I can't offer a recommendation, but if you go this route, I wish you the best. Anyway, browse to the web site of the antivirus vendor you prefer, look up SirCam, and give their procedure a try if you wish. Do contact the vendor if you want to resolve problems with their disinfector, not us.

   Note: Since this virus creates its own infected files, disinfecting may not succeed. In that case, deletion should be safe.

3. After the virus is removed, install and update your antivirus software.

4. Now you can reconnect to the Internet; please contact everyone in your addressbook to alert them that your computer may have sent them a virus

5. Look at the logfile from the disinfection, so that you can tell what files may have been sent out to who knows whom. You'll be looking for equivalent files in your My Documents folder, not the Recycle Bin, of course. In particular, make sure that no sensitive information is included, like your credit card numbers, etc. In the case that you are unlucky in this regard, take appropriate action immediately!

6. Resolve that this will never happen to you again, in part by following the Prime Directives above.

Please do not forward this alert -- or any other virus warning or hoax -- to all your friends. You may, however, forward this to people responsible for your antivirus support, and to others whom I support.

For this virus, I suggest that you provide a pointer to this URL (http://www.umich.edu/~virus-busters/sircam.html); for technical details of this virus, see antivirus vendor web sites -- e.g., NAI's (leaving our site) or F-Secure's (leaving our site) writeup.

For virus or hoax info, please see our main page (http://www.umich.edu/~virus-busters/) or go to another reputable site, like The Urban Legends Reference Pages (leaving our site).

   -BPB