IDG News Service,
Buenos Aires Bureau
BUENOS AIRES –
07/23/2001
The so-called
Sircam.A or W32/Sircam worm continues spreading at an alarming rate through the
Internet, according to security experts. The worm uses a combination of clever
"social engineering" and programming techniques to propagate itself
in large scale. The malicious payload of the worm is rather dangerous,
especially for users of the international date convention (day/month/year), as
it is programmed to erase the entire contents of the victim's C drive on
October 16.
The virus was
first discovered on July 17. By now the infection has reached about 95
countries, and many hundreds of thousands of infected machines, according to
the experts. Symantec has upgraded the threat level of Sircam from 3 to 4, due
to its increased rate of submissions, according to Symantec's web site. A
Monday report from the specialized ISP MessageLabs anticipates continued spread
growth mainly in the Americas, Great Britain and Spain.
The rapid
spread of the virus can be attributed to three main factors, according to the
analysts: 1. The worm displays an attractive semi-random message, that asks for
the victim's opinion, for instance: "I send you this file in order to have
your advice." Besides, the e-mail subject line is not fixed; rather, it
displays the name of a randomly selected file from the infected victim's
computer. 2. The worm displays messages in English or Spanish, according to its
area of distribution. 3. The worm has its own e-mail (SMTP) routines, that help
its propagation, independently of the victim's mail client. It explores not
only the traditional Outlook address book, but also all HTML files in the
computer, in order to compile a list of e-mail addresses for its own use.
According to MessageLabs "because this worm attaches a
file of arbitrary length to itself, it can cause denial of service attacks on
the message recipient. [...] This results in large files being mailed out by
the worm, causing bandwidth problems for sender and receiver. The largest file
we have stopped so far was 107 Mb."
The main antivirus vendors websites have a full description on how to deal with this worm, or how to remove it from the infected machines. See: http://www.mcafee.com or http://www.symantec.com/avcenter . For instructions in Spanish, see http://www.hispasec.com/unaaldia.asp?id=997
|