http://www.newsbytes.com/news/01/169522.html By Brian McWilliams, Newsbytes GIVAT SHMUEL, ISRAEL, 29 Aug 2001, 10:11 AM CST A new tool offers relief for computer users still plagued by e-mails infected with the file-stealing SirCam worm or who have voyeuristic tendencies. ClipSirc is a tiny DOS utility that automatically dissects the data files that come attached to messages generated by SirCam. Developed by Israeli anti-virus vendor Invircible, the free tool strips the worm's installation code from the legitimate document it uses as a Trojan horse. First reported in mid-July, SirCam spread widely by duping unwary Internet users into clicking an e-mail attachment that contains a file harvested from the "My Documents" folder on an infected sender's PC. Despite receiving widespread media attention, the worm continues to infect new users today, as they fall for SirCam's lure: "I send you this file in order to have your advice." In fact, most anti-virus vendors still consider SirCam a high risk. Symantec, for example, recently upgraded the worm to the firm's highest threat level because of an increased rate of submissions from users. According to Invircible's Zvi Netiv, recipients of SirCam-generated messages who attempt to contact the senders often encounter denial. Netiv said Invircible developed ClipSirc to give innocent users a way to prod SirCam victims into cleaning up their act. "Returning them their own document or worksheet helps get fast results and stops the leak. The stripped attachment can be instrumental in convincing the parties that drastic measures are necessary," said Netiv. Invircible has received hundreds of documents sent by SirCam-infected users, many of them confidential, according to Netiv. Among the documents are a 60-page business plan from a Hong Kong company; detailed patients' medical reports from a hospital in Mexico; the entire customer list of a company that sells precious stones; and a file from a school principal in Wisconsin containing very personal student records. Newsbytes has received several considerably less interesting documents, including multiple copies of a Word document that contains a poem entitled, "The Pig Farmer Hangover." Last month, an FBI analyst became infected by the worm and had several documents, including one marked "Official Use Only," e-mailed out to numerous recipients. While most anti-virus software can detect and block the worm from infecting a computer, the often-hefty file attachments can be slow to download or can overflow mailbox quotas. According to Netiv, the ClipSirc utility analyzes an infected e-mail attachment and identifies the beginning of the data file through pointers embedded in the worm's header. It then determines the type of data that was appended and extracts it to disk with the appropriate file extension. ClipSirc can salvage SirCam-infected files in the following formats: .DOC, .XLS, .JPG, and .ZIP, according to Netiv. SirCam is also capable of mass-mailing files in the .EXE, .COM, .LNK, .PIF, and .BAT format. To use ClipSirc, users should download the program to a dedicated directory, according to Invircible. Attachments from SirCam-infected messages should be placed in the same directory. (Users may have to disable their anti-virus software to handle the infected files.) Double-clicking on the ClipSirc icon will cause the program to clean the data files contained in the attachments and extract them to the same directory. Invircible cautions users not to activate the infected attachments directly or they will risk catching SirCam. If waving a confidential document doesn't get infected users' attention, they may get their comeuppance soon. According to Symantec, on Oct. 16, SirCam will on some systems delete all files and directories on the infected computer's C drive. ClipSirc is available for download here: http://www.invircible.com/download/tools/clipsirc.exe . Symantec's write-up on SirCam is at http://www.sarc.com/avcenter/venc/data/w32.sircam.wormat_private . - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Aug 30 2001 - 03:51:59 PDT