TUCoPS :: Malware :: sircamfq.txt

SirCam FAQ


What is SirCam?

SirCam is a malicious program with characteristics of a worm--a
self-propagating piece of destructive code--and a virus, a malicious
program that attaches itself to other files. It also has qualities of a
"Trojan horse" in that it poses as a harmless file.

How can I tell if a message I receive is infected by SirCam?

All SirCam messages arrive with an attachment and an e-mail subject
line, but these are different for every SirCam message. That's because
each time the SirCam worm infects a computer, it randomly plucks a
document from that computer and sends itself out with the document
attached--drawing the e-mail subject line, and the name of the
attachment itself, from the title of the pilfered document.

Each virus-carrying message contains the same text in the body of the
message, however. The first and last lines are "Hi! How are you?" and
"See you later. Thanks" in the English version of the message and "Hola
como estas?" and "Nos vemos pronto, gracias" in the Spanish version.

How dangerous is SirCam?

The main threat posed by the worm is possible security breaches from its
propagation method. By attaching randomly chosen documents to itself,
the worm could share confidential information with others.

SirCam also can perform several destructive acts based on a combination
of arcane PC settings and chance. If the infected PC uses the European
date format (day/month/year), for example, there is a 1-in-20 chance the
worm will delete all files and folders on that computer's hard drive on
Oct. 16.

Who can be infected?

Any PC running Windows 95, Windows 98, Windows Me, Windows 2000 or
Windows NT. Due to an apparent flaw in the worm, however, SirCam cannot
replicate itself on Windows 2000 and Windows NT systems.

What should I do if I receive an infected message?

Delete the message, then check to see if your PC is infected. Locating
and removing the infection on your own is a relatively complex process,
as detailed in a McAfee document.

The easier approach is to use the automated SirCam detection and removal
tool available for free downloading from antivirus-software maker
Symantec.

How can I keep SirCam messages from flooding my mailbox?

If your Internet or e-mail service provider screens incoming messages,
your mailbox should be safe, although Hotmail users have reported that
the service's virus filters have failed to catch SirCam.

For those who use unfiltered services--and for unlucky Hotmail
users--you're on your own. Install antivirus software on your PC, keep
it updated, and set it to screen your e-mail--at least infected messages
won't be able to deliver their payload.

Most e-mail programs also allow you to set up rules for incoming
messages. Using a tool such as the Rules Wizard in Microsoft Outlook,
for instance, you could set up a rule that all incoming messages with
the body text "See you later. Thanks" are moved to a separate folder,
where you can easily delete any suspicious entries.

What will happen to the creator of SirCam?

Probably nothing. An FBI representative said Monday that she was not
aware of any SirCam-related investigation. Usually only the most
destructive viral outbreaks, such as the Love Letter epidemic, generate
significant law-enforcement attention.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH