F-Secure warns of Sircam worm

Helsinki, Finland - July 24, 2001

F-Secure Corporation (HEX:FSC) is alerting computer users worldwide about a new, rapidly spreading e-mail worm called Sircam. Sircam is a mass mailing e-mail worm with the ability to spread through Windows Network shares. F-Secure anti-virus detects and disinfects the worm.

The worm was found in the wild on July 17 in the USA. After that the worm has been spreading globally. In addition of USA, infections have been reported in Asia, South America, India and Europe. Northern Europe and Scandinavia have been spared the worst hits because of the holiday season in these countries.

When a Sircam-infected e-mail attachment is opened it shows the document it picked up from the sender's machine. The file is displayed with the appropiate program according to its extension (.DOC, .XLS, .ZIP). This effectively disguises the worm's activity. While the user is checking the document, the system gets infected.

The worm collects e-mail addresses from the user's Windows Address Book and then sends itself out with one of the document files it found in the user's 'My Documents' folder. The message the system sends may be either in English or in Spanish.

"This is an e-mail worm that is not Windows Outlook-specific," says Mikko Hypponen, Manager of Anti-Virus Research at F-Secure. "Instead, this worm makes use of its own e-mail sending system. This makes it much more liable to spread."

The worm has two payloads. On October 16 it may delete everything from the drive where Windows is installed. Or, on any other day it may fill up the drive where Windows resides. It may also use Windows network shares to spread.

The technical description and screenshots of the Sircam worm are available online at: http://www.f-secure.com/v-descs/sircam.shtml