SirCam Virus

The SirCam worm was first discovered in the wild on July 17th, 2001. Since that time, it has spread incredibly quickly, jumping up to the top ten threats within a matter of days. At the time of this writing in September, 2001, SirCam is still rated the number 2 virus threat on the internet.

This worm takes advantage of the Microsoft Outlook (and Outlook Express) "feature" known as email scripting, combined with clever social engineering. What happens is a person receives an email with a random subject from someone that he knows or has corresponded with. The message has an attachment (chosen randomly from the victims computer system) which, if opened, causes the virus to be executed.

It is very possible that even a careful user may be tricked into opening the attachment if he has "Hide file extensions for known file types" defined. This will cause the file type to potentially be hidden. Thus, the user might see it's a "PDF" file, when actually it is an "EXE" file. It is generally a good idea to always turn off "Hide file extensions for known file types" so you actually see what you are opening.

Here's how the virus works.

  1. A person (let's call her Judy) receives an email with a title like "confidential payroll report". Of course she's intrigued and opens the attachment. The interesting thing about this virus is (as I understand it) the attachment is an actual document which can be viewed. This makes it more difficult to determine that you have been infected.

  2. Judy's system is now infected. 

  3. All files on the C partition are deleted if the date is October 16 and the system is  using D/M/Y as the date format, or if the attached file contains "FA2" not followed by "sc".

  4. Under certain conditions the C drive may be filled as SirCam adds test to c:\recycled\sircam.sys.

  5. The worm sends copies of itself with a random file attachment. The worm is appended to the attachment. SirCam has it's own SMTP engine so it just sends the copies itself. The attachment will have an extension of .bat, .com, .lnk, or .pif. The worm is 134kb long, so the attachment will be the length of the document plus 134kb.

  6. The email addresses are taken from all *.wab (Windows Address Book) files in the %SYSTEM% folder. In addition, the internet cache is searched for web pages containing email addresses.

  7. SirCam also searches for shared drives. If it finds any, it scatters copies of itself all over the drive.

One of the interesting facts about this worm is unless it causes damage, you may never know that you are infected! The worm will just keep sending. If you've got plenty of disk space, it will just slowly or quickly get filled up from the temporary files used by the emailing routine.

To prevent this worm you have be careful with your email.

  • I would highly recommend that all home Outlook users install the Microsoft Outlook Security patch. This will remove the possibility that this kind of virus can be opened.

  • Install and maintain an antivirus program.

  • Do not open any suspicious attachments (although the outlook patch and the antivirus program should take care of this).

Pages About SirCam

Removal Tools