Sircam

[ddm at pizzashack.org (Derek Martin)]

On Mon, Aug 06, 2001 at 01:38:04PM -0400, Jerry Feldman wrote:
> Another correction. SirCam is an attachment that can cause infection 
> through any Windows mail client, not just Outlook and family. 
> On 6 Aug 2001, at 8:50, John Malloy wrote:

Sircam is a fairly devious variant of e-mail virus.  There are two
distinct aspects of the operation of any virus: infection, and
propogation.  Sometimes the line between the two is blurred, but
definitely not in this case.

Jerry is correct about infection being possible regardless of the
client you use.  However, by understanding how this virus (and viruses
in general) go about propogating and infecting your system, by
choosing better e-mail clients, and by configuring those clients to
minimize your risk of infection by virii, you can pretty much
eliminate your risk of being infected by this e-mail virus (and
probably most such virii), without even running anti-virus software
(but running such software is still a really good idea).

Infection:
---------- 
Sircam creates a file attachment of one of the following types: .bat,
.com, .lnk, or .pif file.  If a user who receives it activates the
attachment (presumably by clicking on it in their e-mail client), it
will infect that system by whatever means Windows is configured to
handle those kinds of documents.  Where possible, it's a good idea to
separate how you handle e-mail attachments from how the operating
system handles executing them.  I'm not sure how possible this is if
you use Outlook and IE -- I invite someone who is more familiar with
Windows and those applications than I am to comment.  It may well be
easier than I think.

However, if you use Netscape or any other e-mail client, it's very
easy to prevent being infected by this virus, if you do two things:

  - configure your e-mail client NOT to automagically execute these
    file types, but save them to disk instead (to be examined later)

  - NEVER open a file of any of these types which you have received in
    e-mail, unless you are expecting it and know exactly what's in it 
    before hand (or verified it with the sender before opening, at least).
    NEVER open them without prior knowledge of the contents, no matter
    how well you know the sender. It's just not worth the risk.  And, Even
    if you know what is (or should be) in the attachment, you should still
    scan it for virii before opening it.  You might miss a joke
    program or two, but you'll save yourself a lot of headaches.

Please note: I'm not saying it isn't possible to do this with IE and
Outlook, only that I don't know that you can.  My impression is that
how attachments are handled by these applications is tied directly to
how Windows itself is configured to handle them.  Hopefully someone
will clarify this if I'm off base.

Propogation:
------------
Sircam can only propogate through one of two means: e-mail addresses
contained in your Windows Address Book(s), and e-mail addresses
contained in IE documents (such as, for example, cached HTML pages) on
your hard drive, referenced in the Windows registry.

So, in order to prevent PROPOGATING this virus if you do become
infected, it's as simple as don't ever run Outlook and/or IE, and
remove any existing address books or cached files from your hard
drive.  Which, based on the sheer volume of security vulnerabilities
that have affected these two applications (especially in combination
with eachother), I think is good advice for everyone who is concerned
about the security of their system (of which virus infection is a
part).

BTW, for the complete low-down on Sircam, including how to remove the
accursed thing, have a look here:

  http://www.sarc.com/avcenter/venc/data/w32.sircam.worm at mm.html


-- 
---------------------------------------------------
Derek Martin          |   Unix/Linux geek
ddm at pizzashack.org    |   GnuPG Key ID: 0x81CFE75D
Retrieve my public key at http://pgp.mit.edu

-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).