IDG News Service,
Buenos Aires Bureau
BUENOS AIRES –
(07/23/2001)
As of this
writing, my computer trash can contains 18 messages from 13 people that I
received since July 17 with the Sircam worm, in its various guises, both in
English and Spanish. As I have already said on a previous story, I am not
particularly fond of antivirus software and, although I realize its importance
and usefulness, I do not have an antivirus permanently active on my system. It
wouldn't have been useful in this case, as the virus spread more rapidly than
the antivirus countermeasures, as it often happens in these cases. What I do
rely on is on the gold rule of not clicking on messages from unknown senders,
or having unexpected attachments.
This time,
however, I confess I had a hard time resisting the temptation. This worm
employs such a variety of deceptive techniques that even wary and vigilant
computer users may fall.
First trick:
The worm is bilingual. If you live in an English speaking country, you'll
probably receive its English version. However, if you live in Latin America or
Spain, you'll probably get the Spanish version. This is just a statistical
probability, however, as the Internet knows of no national or language
boundaries; but it does increase the chances for the worm to spread. I have an
top level (not national) e-mail address, and my trash can has 8 messages in
English and 10 in Spanish... a fairly proportional distribution, for such a
small sample.
Second trick:
The worm is loquacious. Besides being bilingual, each time it reproduces, the
worm displays a different set of catchy, click-inducing phrases: "I send
you this file in order to have your advice", or "I hope you can help
me with this file that I send", or "This is the file with the
information that you ask for", or a few others. But it is easy to catch,
if you know this: The first and the last line are always the same: "Hi!
How are you?" "See you later. Thanks." Casual enough, however,
to make you think that they come from an old acquaintance.
Third trick: A
different subject line and attachment each time. This is probably the most
deceptive and one of the most dangerous features of this cunning worm. Each
time, the virus routines select a different file from the infected machine, and
attaches itself to it. Then it copies the file name (without extension) to the
subject line. My trash can contains
four messages from a certain Johana C., each with a different attachment and subject
line: "CK", "Jobs and Professions",
"Tegucigalpa", "Cooperativa".
Fourth trick:
This one is well known already, as it has been used by a variety of worms,
since the infamous "Love letter" one: the worm keeps an innocent
looking file extension (.txt, .jpg or .doc) and it adds an executable extension
of its own: ".exe, .lnk, .com, or .pif". This dangerous executable
extension, however, is often hidden by the Windows operating system, and that
induces the fatal clicking on the infected file.
The
virus spread
The worm has
several names: Sircam.A, W32/Sircam, or Sircam.worm@mm. According to security
experts, the virus continues spreading at an alarming rate through the
Internet. It was first discovered on July 17. By now the infection has reached
about 95 countries, and many hundreds of thousands of infected machines.
Symantec has upgraded the threat level of Sircam from 3 to 4, due to its
increased rate of submissions, according to Symantec's web site. A Monday
report from the specialized ISP MessageLabs anticipates continued spread growth
mainly in the Americas, Great Britain and Spain.
Security
expert Bernardo Quinteros, head of the Spanish site Hispasec, reports that
"the virus is having a specially high incidence in Spanish speaking
countries, helped by the fact that it 'speaks Spanish', and the infection rate
is now higher than the well known Hybris and Magistr worms".
The
virus payload
The malicious
payload of the worm is rather dangerous, especially for users of the
international date format (day/month/year), as it is programmed to
"consider" the erasure of the entire contents of the victim's C drive
on July 16, according to Quinteros or October 16, according to the Symantec web
site. There is a 1 in 20 chance of this effectively occurring, as the cunning
worm "throws the dice" -- that is, it executes a randomizer routine
-- on the designated date, to see whether to erase the disc or not. The fact
that for now the erase action is limited to systems using the international
date format reinforces the suspicion that the worm was created in a Spanish
speaking country. However, this oversight can be probably "solved" in
a next version of the worm, increasing its danger.
The worm
presents other dangers for all the infected:
1. Overload on SMTP (mail) servers. As the worm chooses at
random any of the victim's files, often very large files are transmitted, that
can clog up the networks. According to MessageLabs "because this worm
attaches a file of arbitrary length to itself, it can cause denial of service
attacks on the message recipient. [...] This results in large files being
mailed out by the worm, causing bandwidth problems for sender and receiver. The
largest file we have stopped so far was 107 Mb."
2. Compromised
confidentiality. The worm behavior allows the random spread of any type of
files, including highly confidential ones, that are chosen at random by the
worm. Quinteros says: "I have personally received samples with sensitive
corporate files, that is very easy to display. It is just necessary to remove
the virus code lines that are inserted at the beginning of the file in order to
get the original file."
3. Hard drive
congestion. After having reproduced itself many times, the worm enters into a
self reproducing mode on the same computer, that slowly fills up the victim's
hard drive. Eventually, the whole system will stop working.
4. Network
congestion:. The worm is "network aware". It can explore the a local
area network (LAN) drives, and propagate itself to networked computers, even if
they are not directly connected to the Internet.
5. Extensive changes to the Windows registry. In order to
control its own behavior, the worm creates a Registry key of its own, and it
modifies another one, that allows it to run each time Windows runs, and to attach
itself to executables files. "When I realized what was happening I
immediately downloaded the Norton updates and eliminated the virus. But the
havoc it wreaked is still there: I can open no programs -- none -- directly, but instead must click on files to start my
programs," says Alan Hynds, a Mexico-based translator, that opened the
attachment on Sunday morning. "(I'll have) a technician come this
afternoon to reformat my hard drive."
Prognosis
Worm and virus
writers are continuously improving. The yet unknown writer of Sircom
has very cunningly combined effective computer programming with social
engineering and bilingualism. Antivirus software, by its very nature, comes
always somewhat late. What else is there in the works, lurking in the dark? We
are up for a very nasty surprise one of these days.
The main
antivirus vendors websites have full descriptions on how to deal with this
worm, or how to remove it from the infected machines. See:
http://www.mcafee.com or http://www.symantec.com/avcenter
. For instructions in
Spanish, see http://www.hispasec.com/unaaldia.asp?id=997
|