Sircam worm spreads as vendor upgrade warnings

Since first being reported last Tuesday, the W32.Sircam.worm computer virus has been infecting e-mails across the Internet and spreading rapidly, enticing unknowing recipients to open an attached file that can unleash a vicious electronic attack on their PCs.

The dissemination of the worm has occurred so quickly that antivirus vendor Symantec Corp. today upgraded its security warning about the virus, giving it a Category 4 “severe” rating, up from a Category 3 “moderate” level on a scale of one to five.

The Sircam worm carries an executable file that, if clicked upon, unleashes an attack on the recipient’s PC. The damage sometimes includes the deletion of all files and directories on the C: drive and system performance degradation as hard-drive space is filled by errant code carried by the worm, according to Symantec’s Antivirus Research Center in Santa Monica, Calif.

The worm borrows a random document from the infected PC and uses that file in the subject line of e-mails it then sends to people in the user’s address lists.

Greg Shipley, a security consultant at consulting services firm Neohapsis Inc. in Chicago, said the proliferation of the worm increased dramatically over the weekend. “It’s spreading quickly, and anything that’s spread quickly is a concern,” he said.

Pete Lindstrom, a security analyst at Hurwitz Group Inc. in Framingham, Mass., said the worm is spreading because no matter how many times users are told not to open e-mailed executable file attachments from people they don’t know, curious recipients open the attachments, allowing viruses to infect their machines and networks.

“There’s too much cutesie-wootsie stuff out there,” that e-mail recipients want to check out, Lindstrom said. “The lesson here is you can’t expect users to learn. There’s too much fun going on out there on the Internet.”

Instead, he said, the onus for protecting against such attacks should increasingly be placed on system e-mail administrators, who can do more to protect users from their own curiosity.

“If e-mail administrators aren’t stopping it at the gateway” by plugging known security holes or using software that can detect and defend against such attacks, “then it’s dereliction of duty on the e-mail administrator’s side,” Lindstrom said.

Ken Dunham, an analyst with Tangerine in Menlo Park, Calif., said the worm could be particularly dangerous to corporate networks because it replicates quickly and can clog servers with outgoing mail. Dunham said he’s seen Sircam attachments as large as 107 KB, which when replicated across large mailing lists in address books inside companies can cause overloads that can quickly slow or crash servers.

“It can cause a denial of service (DOS) or distributed DOS attack,” he said. “You can run into real problems with that.”

Another problem, he said, is that commercial antivirus scanning engines are apparently not always identifying the worm as harmful. “Not all of them are working,” he said. To best fight the attacks, he said, user education is critical. “It only takes one user to mess it up,” he said.

Even more important, Dunham said, is the need to maintain multi-level lines of defense in corporate networks, including firewalls and multiple antivirus software packages at the gateway, groupware and client.

Antivirus vendors, including F-Secure Corp. in Espoo, Finland, and Sunnyvale, Calif.-based McAfee Corp., posted alerts on their Web sites about the Sircam worm, as did the Pittsburgh-based CERT Coordination Center.