DejaNET Communications - Welcome To Our New Site!
icon

Home  Stock Quotes  Auction  Classifieds  Games  Special Offers   Web Pages  E-Cards  ISP  Alerts

W32.Sircam.Worm@mm / W32/SirCam@mm / Backdoor.SirCam
SPECIAL ALERT
July 23, 2001 - MUSKEGON, MI - DejaNET Communications today has confirmed that at least three DejaNET users have received an email containing what is known as the W32.Sircam.Worm@mm.  This particular email worm/virus is very dangerous and is spreading extremely fast around the Internet.  The email consists of one or two attached files.  The first file is the text of the email and the second file is the acttual worm payload which is disguised as numerous different file types.  The payload is triggered to delete many or all files from your system on October 16, 2001.  This worm is particularly dangerous due to the fact that the subject, text, and payload filename can be totally random - this makes trying to identify this worm by eye extremely difficult.  An antivirus program IS NEEDED to properly detect this.

The way this worm works is pretty unique.  Once the system is infected, the worm propagates itself to other machines via email.  It can also propagate itself over connected computer networks.  Instead of reading a users address book as many others have done in the past, this worm simply pulls email addresses from web pages you have visited and/or emails that you have received and/or sent out.  It can also pull email address from reading Newsgroup articles.  It features its own built in SMTP emaler so it can do this on ANY machine that is infected.

THE USUAL RULE IS DO NOT DOWNLOAD ANY FILE ATTACHMENTS PERIOD - REGARDLESS OF WHO IT IS FROM!!! 

Opening email is quite like having sex - hopefully you wouldn't have sex with every person who offered it to you so do yourself a favor and do the same for your email - do not open any attachments.

You have heard this hundreds of times, yet many people do not head this simple rule.  Also, be sure to keep your antivirus definitions up to date.  Norton will pick this one up if your definitions are newer than July 17, 2001.  I recommend getting a copy of Norton Antivirus 2001 if you haven't already done so.  I have personally noticed that the email portion of Norton does not detect this virus when first downloaded to the system - it will however detect it once you attempt to open the file.

An exact copy of the emails we have received so far are shown in full below:

START OF EMAIL NUMBER ONE (1)
-------------------------------------------------------------------
Return-Path: <xxxx@xxxx.com (removed to protect senders privacy - DejaNET)>
From: "xxxx@xxxx.com (removed to protect senders privacy - DejaNET)
To: xxxx@xxxx.com (removed to protect users privacy - DejaNET)
Subject: CFS SOP hours -------------------------------------------------->>>>>>THIS IS THE SUBJECT (DejaNET)
Date:  Mon, 23 Jul 2001 19:12:26 -0400
MIME-Version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
Content-Type: multipart/mixed; boundary="----2CB5E333_Outlook_Express_message_boundary"
Content-Disposition: Multipart message

 Part 1.1
 Content-Type: text/plain; charset=ISO-8859-1 
 Content-Transfer-Encoding: quoted-printable
 Content-Disposition: message text

Hi! How are you?  ----------------------------------------------------------->>>>>>THIS IS THE HARMLESS TEXT PART (DejaNET)

I send you this file in order to have your advice

See you later. Thanks

   CFS SOP hours.xls.pif ------------------------------------------------>>>>>>>>THIS IS THE ACTUAL WORM ATTACHMENT (DejaNET)

 Content-Type: application/mixed; name="CFS SOP hours.xls.pif"
 Content-Transfer-Encoding: base64
 Content-Disposition: attachment; filename="CFS SOP hours.xls.pif"

-------------------------------------------------------------------
END OF EMAIL ONE (1)

START OF EMAIL NUMBER TWO (2)
-------------------------------------------------------------------

Return-Path: <xxxx@xxxx.com (removed to protect senders privacy by DejaNET)>
From: "xxxx@xxxx.com (removed to protect senders privacy by DejaNET)
To: xxxx@xxxx.com (removed to protect users privacy by DejaNET)
Subject: 25jun01  ------------------------------------------------------------>>>>>>THIS IS THE SUBJECT (DejaNET)
Date: Thu, 19 Jul 2001 18:32:27 -0700
MIME-Version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
Content-Type: multipart/mixed; boundary="----394B85A2_Outlook_Express_message_boundary"
Content-Disposition: Multipart message
X-Mozilla-Status2: 00000000

   Part 1.2.1.1

Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: message text

Hi! How are you?  ------------------------------------------------>>>>>>THIS IS THE HARMLESS TEXT PART (DejaNET)

I send you this file in order to have your advice

See you later. Thanks

   25jun01.xls.bat ------------------------------------------------>>>>>>>>THIS IS THE ACTUAL WORM ATTACHMENT (DejaNET)

Content-Type: application/mixed; name=25jun01.xls.bat
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=25jun01.xls.bat

-------------------------------------------------------------------
END OF EMAIL TWO (2)

START OF EMAIL NUMBER THREE (3)
-------------------------------------------------------------------

Return-Path: <xxxx@xxxx.com (removed to protect senders privacy by DejaNET)>
From: "xxxx@xxxx.com (removed to protect senders privacy by DejaNET)
To: xxxx@xxxx.com (removed to protect users privacy by DejaNET)
Subject: Document1 ------------------------------------------------------------>>>>>>THIS IS THE SUBJECT (DejaNET)
Date: Mon, 23 Jul 2001 20:06:39 -0400
MIME-Version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
Content-Type: multipart/mixed; boundary="----60957305_Outlook_Express_message_boundary"
Content-Disposition: Multipart message
X-Mozilla-Status2: 00000000

   Part 1.2.1.1

Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: message text

Hi! How are you?  ------------------------------------------------>>>>>>THIS IS THE HARMLESS TEXT PART (DejaNET)

I send you this file in order to have your advice

See you later. Thanks

   Document1.doc.bat ------------------------------------------------>>>>>>>>THIS IS THE ACTUAL WORM ATTACHMENT (DejaNET)

Content-Type: application/mixed; name=Document1.doc.bat
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=Document1.doc.bat

-------------------------------------------------------------------
END OF EMAIL THREE (3)

Notice in each of these three emails that the subject and the worm attachment all have different names.  They all have different sizes too.  This is why this worm is very difficult to detect by eye.

If you receive a copy of this in your email, DELETE IT and DO NOT PASS IT ON AND DO NOT OPEN THE ATTACHMENT!  If you do not open the attachment, then you will not get infected!!!  You also might want to notify the sender that they have a virus/worm and give them a link to this page for more help.  DO NOT FORWARD THE WORM BACK TO THEM OR TO ANYONE ELSE!

If you did open the attachment or fear someone else using your computer may have done so, you can download and run the FREE removal tool from Symantec.  This tool will tell you if your machine was infected or not and if it was, it will remove the worm form your machine.  You can download it and read more about it here: 

http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.removal.tool.html

Once again, keeping your antivirus definitons up to date and only downloading files from the original sources are the ONLY WAY to protect yourself from ANY virus.

You may also visit the following links for more detailed info on this worm as well as removal instructions:

 http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html

 http://www.zdnet.com/zdhelp/stories/main/0,5594,2776123,00.html

http://www.mcafee.com/anti-virus/viruses/sircam/default.asp?cid=2360

UPDATE: July 23, 2001 9:06PM EST
As I was writing this page, yet another email containing this worm came in.  Below is a full copy.

START OF EMAIL NUMBER FOUR (4)
-------------------------------------------------------------------
Return-Path: <xxxx@xxxx.com (removed to protect senders privacy by DejaNET)>
From: "xxxx@xxxx.com (removed to protect senders privacy by DejaNET)
To: xxxx@xxxx.com (removed to protect users privacy by DejaNET)
Subject: creditcards    ------------------------------------------------------------>>>>>>THIS IS THE SUBJECT (DejaNET)
date: Mon, 23 Jul 2001 20:11:25 -0400
MIME-Version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
Content-Type: multipart/mixed; boundary="----07E9A4C5_Outlook_Express_message_boundary"
Content-Disposition: Multipart message

------07E9A4C5_Outlook_Express_message_boundary
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: message text

Hi! How are you=3F   ------------------------------------------------>>>>>>THIS IS THE HARMLESS TEXT PART (DejaNET)

I send you this file in order to have your advice

See you later=2E Thanks

------07E9A4C5_Outlook_Express_message_boundary
Content-Type: application/mixed; name=creditcards.xls.com   ---->>>>THIS IS THE ACTUAL WORM ATTACHMENT (DejaNET)
Content-Transfer-Encoding: base64
Content-Disposition: attachment;  filename=creditcards.xls.com

-------------------------------------------------------------------
END OF EMAIL FOUR (4)
 

UPDATE: July 24, 2001 11:50PM EST
Eight (8) more emails containing this worm were received by DejaNET today.  Please pass this alert page on to your friends and family and encourage them to protect themselves from passing this worm.  This worm is dangerous as well as annoying.  Also, after more reading up on this worm, I have also determined that this worm generally only affects users of Microsoft Internet Explorer and Outlook Express, 98, or 2000.  This worm can also retrieve email addresses from the Windows Address Book used by these applications.  This does not leave out AOL users 100% who DO use IE in the background as their browser within AOL.  The worm can still work with AOL users via the Internet pages that are cached on their machine.  This will also affect users who use both Netscape and IE.  The people who will be worst hit by this worm are those who host a web site and have an email address of sorts on their web page - they will be on the receiveing end of this worm to the greatest degree.  Also please be alerted to the fact that the subject name as well as a portion of the file that this worm sends out is a legitimate file from your desktop or the MyDocuments folder of your system that CAN BE VIEWED IN FULL by a stupid user whom receives your email sent via the worm.  THIS COULD EXPOSE YOUR PERSONAL INFORMATION AND/OR FILES TO ANYONE ON THE INTERNET whose site you view or email address you have stored in your Windows Address Book!  DejaNET is currently in the works of attempting to plan a strategy for dealing with this worm and the emails it generates for our customers as well as visitors. 

I'll say this once again after repeating this hundreds of times over the years to customers, potential clients, and anyone I have ran across who wants to talk about computers: Use Netscape for browsing and email and use window washer to clean your cache and temporary/recycled/hidden files and use Norton AntiVirus and YOU WILL NOT BE AT RISK unless you foolishly open an attachment received in your email!!!!!!!!!! 

NEVER OPEN EMAIL ATTACHMENTS - ESPECIALLY THOSE WITH DUAL EXTENSIONS!!!! 

If this advice was headed, this would not be an issue...but as usual, it is...

I will update this page as more info comes in.  This is a pesky and dangerous worm and will be around for a while, this DejaNET has already determined by the speed this worm has passed around so far (its only been around 1 week or so).  Be sure to check back often for any updates.  Current DejaNET web hosting and email customers will receive an email regarding this issue soon.

UPDATE: August 03, 2001 11:25PM EST
So far, over 280 emails have came in to DejaNET contaning the SirCam Worm.  The largest were 192 from a major realty company located in Georgia and the second largest (which is our current problem now at 63) was a person in New York (we have spoken to them over the telephone and hopefully will have this one wrapped up tonight.  The usual response we get when contacting these people is that they had no clue they had it or that their computer was sending these emails out.  All we have contacted so far have been very friendly, and very eager to resolve the issue.

This virus/worm is spreading very rapidly and is the worst virus event that we have seen (we only revceived a couple of the Love Bug or Melissa virus).  Also, another major notice is the fact that the Syamntec update for Norton Antivirus 2000/2001 did not work correctly.  Syamntec has made one update available last Thursday, along with one this past Wednesday, Thursday, and today - Friday.  PLEASE BE SURE TO UPDATE YOUR VIRUS DEFINITIONS AND THEN DO IT AGAIN!  I have found that the updates for Norton 2001 do not alwasy complete in one downlaod.  Do it again and see if there is another - if not it will simply say "There are no moree updates".

I'd also like to take a moment to respond to a little parnoidism I've heard from a couple of people.  You can NOT get this virus from just reading a web page unless some fool has posted it to a web page and YOU DOWNLOAD IT AND TRY TO VIEW IT!  This virus/worm works by silently emailing itself out in the background without your knowledge.  When it arrives in another persons mailbox, IF YOU CLICK ON THE ATTACHMENT (the one with dual extensions such as nakedpics.jpg.exe, dontclickme.doc.bat, tetris.zip.pif, etc) THEN YOU WILL GET THE VIRUS/WORM.  THAT IS HOW THIS WORKS AND THE ONLY WAY!  The second part of the name is the part you should be looking at - that is what the file actually is - in our example, nakedpics.jpg.exe, you might be led to believe this is a picture, but wait, the real file extension (the second part) is the .exe which is a program.  Oh yes, you will see a naked picture of some sort, BUT, you will also be running an executable (.EXE) program whcih is the virus, at the same time.  Please re-read this page and the links on it if you do not understand this.  It is the ignorant who propagate such problems as this.  This web site is here for the education of our users and visitors.  This effort is to hopefully encourage people to understand their systems more and be able to help their friends who do not know much.  Just because we have taken the time to report that we have received this virus numerous times in our mailboxes does not mean that our web sites are affected - just the certain mails sent by certain people visiting our web sites.  We are receiving these viruses/worms due to the fact that people who already have this worm are visitng our web sites and plucking our email addresses from the bottom of the web pages.  We actively use Norton Antivirus to scan our systems and emails (and have for the last 7 years - even way back in the days of our BBS) as they come in and this is how we know about the viruses.  Also, if you received this warning (looked exactly like this-hmmm) and you decided not to visit the web site for fear of catching a virus - well you are a fool.  I will once again say it - this is passed on in email not web pages.  Guess what the email was that you received - this web page - direct form our web server - which automatically popped up in your web browser.  Enough said on that...

Here are a few more updated links for you all to follow - you'll also like the one about the Ukrainian president getting and spreading the SirCam worm also.  PLEASE NOTICE - Symantec has also released a new Windows version of the Sircam Worm Removal Tool.  Its still available at the same link above (and I'll repeat it here again), but just be sure to scan your system with theis new tool - eve if you scanned with the old DOS based one.

http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.removal.tool.html

http://www.sarc.com/avcenter/venc/data/w32.sircam.worm@mm.html - UPDATED August 3, 2001 1:44PM PDT

Sircam Worm: Crawling Fast but Easily Crushed - IDG Net

'Sircam' virus eludes Symantec update - CNN July 30, 2001 Posted: 1:52 p.m. EDT (1752 GMT)

World leader latest victim of 'Sircam' virus - CNN August 3, 2001 Posted: 7:24 AM EDT (1124 GMT)

SirCam still sliming in-boxes - ZD-Net / Netscape August 2, 2001

Syamntec Top Virus/Security Threats - http://www.sarc.com/
 


 
Last Modified: 08/03/2001
Copyright 2001 DejaNET Communications
"You will notice no email address here as usual...hehehe...we've gotten enough emails containing this worm"