Latest Windows virus sends out your private documents

HOME
TOPICS
ABOUT ME
MAIL

Even if you delete all of Sircam's files so that it cannot run, your Windows PC will not work right unless you put the Registry back in order.

technofile
Al Fasoldt's reviews and commentaries, continuously available online since 1983

Latest Windows virus sends out your private documents

July 29, 2001

By Al Fasoldt
Copyright © 2001, Al Fasoldt
Copyright © 2001, The Syracuse Newspapers

   For last two weeks, Windows users by the hundreds have been sending me their most private files.
   These bizarre mass-mailings started in late July, triggered by a one-two punch from a combination worm called Sircam. It enters Windows PCs through an e-mail attachment, and is activated when the user opens the attachment. Sircam then goes to work mailing out personal documents at random to addresses it finds in the Windows address book.
   Unsuspecting Windows users whose PCs have been infected have been sending me the most personal and private files imaginable. I did not open any of them * doing so would have set off the virus, and I'm not a snoop anyway * but the names of the files were revealing enough. I received a list of financial data from a local diary, a library planning document, a couple of notes that appeared to be reminders of bills that were due, scores of images saved from Web pages and even a couple of homework assignments.
   The Sircam worm sends a hidden copy of itself along with each personal document. Sometimes, based on the date or a random number, Sircam will fill up the PC's hard drive with nonsense files or wipe out every file on the computer.
   Sircam, which is sometimes referred to as "W32.sircam" or "TROJ_SIRCAM" (or similar names), does not harm Macintosh computers, nor is it a threat to PCs running Linux or any other non-Windows operating system. Even on Windows PCs, the worm is harmless if users leave the attachment alone -- if they do NOT open the attachment. Windows users should never open attachments unless they know the sender, know what the file is and have asked the sender for the file.
   Sircam is described as a worm that acts like a virus or a virus that acts like a worm. Worms spread from computer to computer by making copies of themselves; viruses cause damage to computers or change them in some other way. Most viruses attack only Windows PCs, taking advantage of the many weaknesses in the way Windows is designed. Even Microsoft's Windows XP, the version of Windows that Microsoft is introducing this fall, is vulnerable to viruses and worms, and there have been reports that test copies (beta versions) of Windows XP have been hit by Sircam already.
   PCs that Sircam infects do not need to be using either of the two most common Windows e-mail programs, Outlook or Outlook Express. Sircam has its own built-in mail software and will send out private documents and copies of itself as long as it finds entries in the Windows address book.
   The letters that are sent out with their payload of private files and deadly infections appear to come from a normal Windows user. They have the return address of the person whose PC has just been infected.
   But they have telltale ungrammatical English in the message itself, indicating that the virus writer was not a native English speaker. The worm changes the text at random, but the English version always seems to start out with, "Hi! How are you?" The Spanish version starts with, "Hola como estas ?"
   The English version ends with "See you later. Thanks." The Spanish version ends with "Nos vemos pronto, gracias."
   Sircam also commandeers the Windows Registry, a database on every Windows PC that controls the way Windows behaves. It tells Windows to run the worm any time the user tries to run a regular program. It stores several files in the Recycle Bin, hiding them from most antivirus programs. Even after an antivirus program has cleaned out Sircam's program files from other locations, it will miss the ones hidden in the Recycle Bin unless it specifically knows enough to look there. This gives Sircam a chance to reinfect the PC.
   Sircam is even more malicious than it might seem. Even if you delete all of Sircam's files so that it cannot run, your Windows PC will not work right unless you put the Registry back in order. You can get a Sircam-removal program from Trend Micro. (I removed a link to a batch file that removed the virus and fixed things, mostly because the one from Trend is much better.)
   Even your PC is not yet infected, be sure to download the Trend Micro Sircam fix-it program and store it on a floppy disk. Label it. Keep it handy.
   The Trend Micro site is at www.antivirus.com/vinfo/.