I think the subject is not random, but itīs the name of the document (be it a .doc, .zip , .xls or whatever) that the worm attaches to itself before it sends emails. In the cases Iīve seen, the subject is the same as the attachments name. The message asks the receipient for his opinion about the attachemnt, and since the file comes from the senders hard disk, the receipient usually opens it (if he doesnīt realize that the file extension is .doc.pif or .zip.pif, and even if he does, many people donīt know what a .pif file is) I think it also uses the .bat extension, but Iīm not sure. Iīve seen both the english and the spanish version. If you examine the file with notepad, thereīs a string saying it was made in mexico. I think both versions are in fact the same, and it must be cheking windows settings to know whether to propagate in english or spanish) LAst thing i wanted to say is that this virus has spread in Argentina very fast during this week (I first found it in a friends home PC on the 18th) ----- Original Message ----- From: "Kimberly Anne McKinnis" <elfat_private> To: "rudi carell" <rudicarellat_private> Cc: <epicat_private>; <vuln-devat_private>; <SECURITY-BASICSat_private> Sent: Tuesday, July 24, 2001 1:25 PM Subject: Re: Win32.Sircam.Worm Alert..... > Actually... the subject is random. The body, however, is consistent. See these > sources for more info: > > http://www.symantec.com/avcenter/venc/data/w32.sir cam.wormat_private > > http://vil.mcafee.com/dispVirus.asp?virus_k=99141& > > http://www.antivirus.com/vinfo/virusencyclo/defaul t5.asp?VName=TROJ_SIRCAM.A > > http://www.antivirus.com/vinfo/virusencyclo/defaul t5.asp?VName=TROJ_SIRCAM.A > > http://www.sophos.com/virusinfo/analyses/w32sircam a.html > > http://www.europe.f-secure.com/v-descs/sircam.shtm l > > http://service.pandasoftware.es/servlet/panda.pand > aInternet.EntradaDatosInternet?operacion=FichaViru > s&idVirusFicha=1911&pestanaFicha=1 > > http://support.centralcommand.com/cgi-bin/command. > cfg/php/enduser/std_adp.php?p_refno=010718-000010 > > rudi carell wrote: > > > ..subject varies between > > > > "Wedding List" > > > > and > > > > "Reference Letter Peggy" > > > > yfyi. > > > > rc > > > > >Friday morning I recieved an email from a friend, it looked as >though he > > >was sending me a .doc to look over. To my dismay, it was a worm that >had > > >infected him. > > > > > >I have found little information about this worm, Mostly located at > > >http://www.symantec.com/avcenter/venc/data/w32.sircam.wormat_private > > > > > >The Worm will come from someone that has you on there contact list, >and > > >will > > >have a differnt subject line determined by the attached file. > > > > > >The text will read in english as: > > > > > >Hi! How are you? > > > > > >I send you this file in order to have your advice > > > > > >See you later. Thanks > > > > > > > rudicarellat_private > > securityat_private > > http://www.freefly.com/security/ > > > > _________________________________________________________________ > > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > -- > kimmie mckinnis > http://www.starjewel.org > icq:186072/aol:starbreiz > > > --------------------------------------------- Servicio provisto por EDUNEXO ---------------------------------------------
This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 10:04:21 PDT