[ISN] Don't Get Mad At SirCam, Get Even

From: InfoSec News (isnat_private)
Date: Wed Aug 29 2001 - 22:44:59 PDT

  • Next message: InfoSec News: "[ISN] The other Kosovo war"

    By Brian McWilliams, Newsbytes
    29 Aug 2001, 10:11 AM CST
    A new tool offers relief for computer users still plagued by e-mails
    infected with the file-stealing SirCam worm or who have voyeuristic
    ClipSirc is a tiny DOS utility that automatically dissects the data
    files that come attached to messages generated by SirCam. Developed by
    Israeli anti-virus vendor Invircible, the free tool strips the worm's
    installation code from the legitimate document it uses as a Trojan
    First reported in mid-July, SirCam spread widely by duping unwary
    Internet users into clicking an e-mail attachment that contains a file
    harvested from the "My Documents" folder on an infected sender's PC.
    Despite receiving widespread media attention, the worm continues to
    infect new users today, as they fall for SirCam's lure: "I send you
    this file in order to have your advice." In fact, most anti-virus
    vendors still consider SirCam a high risk. Symantec, for example,
    recently upgraded the worm to the firm's highest threat level because
    of an increased rate of submissions from users.
    According to Invircible's Zvi Netiv, recipients of SirCam-generated
    messages who attempt to contact the senders often encounter denial.
    Netiv said Invircible developed ClipSirc to give innocent users a way
    to prod SirCam victims into cleaning up their act.
    "Returning them their own document or worksheet helps get fast results
    and stops the leak. The stripped attachment can be instrumental in
    convincing the parties that drastic measures are necessary," said
    Invircible has received hundreds of documents sent by SirCam-infected
    users, many of them confidential, according to Netiv. Among the
    documents are a 60-page business plan from a Hong Kong company;
    detailed patients' medical reports from a hospital in Mexico; the
    entire customer list of a company that sells precious stones; and a
    file from a school principal in Wisconsin containing very personal
    student records.
    Newsbytes has received several considerably less interesting
    documents, including multiple copies of a Word document that contains
    a poem entitled, "The Pig Farmer Hangover."
    Last month, an FBI analyst became infected by the worm and had several
    documents, including one marked "Official Use Only," e-mailed out to
    numerous recipients.
    While most anti-virus software can detect and block the worm from
    infecting a computer, the often-hefty file attachments can be slow to
    download or can overflow mailbox quotas.
    According to Netiv, the ClipSirc utility analyzes an infected e-mail
    attachment and identifies the beginning of the data file through
    pointers embedded in the worm's header. It then determines the type of
    data that was appended and extracts it to disk with the appropriate
    file extension.
    ClipSirc can salvage SirCam-infected files in the following formats:
    .DOC, .XLS, .JPG, and .ZIP, according to Netiv. SirCam is also capable
    of mass-mailing files in the .EXE, .COM, .LNK, .PIF, and .BAT format.
    To use ClipSirc, users should download the program to a dedicated
    directory, according to Invircible. Attachments from SirCam-infected
    messages should be placed in the same directory. (Users may have to
    disable their anti-virus software to handle the infected files.)
    Double-clicking on the ClipSirc icon will cause the program to clean
    the data files contained in the attachments and extract them to the
    same directory. Invircible cautions users not to activate the infected
    attachments directly or they will risk catching SirCam.
    If waving a confidential document doesn't get infected users'
    attention, they may get their comeuppance soon. According to Symantec,
    on Oct. 16, SirCam will on some systems delete all files and
    directories on the infected computer's C drive.
    ClipSirc is available for download here:
    http://www.invircible.com/download/tools/clipsirc.exe .
    Symantec's write-up on SirCam is at
    http://www.sarc.com/avcenter/venc/data/w32.sircam.wormat_private .
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Aug 30 2001 - 03:51:59 PDT