Virus Alert - W32.Sircam.Worm


Press Release : Chennai - 20, July, 2001

A Worm Sircam with multiple facets has begun its spread. This worm picks up a random document from the My Documents directory and appends itself to the file and sends this to all the addresses in the e-mail address book. My Documents is the directory where document files are mostly stored. Thus users have the vulnerability of their important documents/confidential information being exposed - a clear security breach. Further on October 16th this worm will delete all the files in the C drive. Also this worm has a 1 in 33 chances of filling all remaining space on the hard disk by adding text to the file c:\recycled\sircam.sys at each startup.

This worm arrives as an e-mail message with a random subject. This could be the same as the attachment in the e-mail. The Message would start as "Hi! How are you?" and ends with "See you later. Thanks." The worm picks up a random document from the "My Documents" directory, Appends itself to it, Adds any one of the following extension - .BAT, .EXE, .COM, or .PIF (eg. Financials.DOC.EXE). This new file is then mailed to all the addresses that the worm collects from the Address book and .HTML files found in the system.

When the user opens an infected file that arrives by e-mail, the worm would infect the system and then would open the document file that arrived from the infected system. Hence the user will be unaware that an infection has taken place. The worm change certain registry entries to make sure that it is first executed whenever any EXE file is run in the system. Because of this changes, deleting the worm file would render the system unusable. Hence a fix for this provided in the web site The company warns users not to open any such attachments and if the systems are already infected users are advised first to change the registry entries before deleting the worm files