Virus Alert

[Cougar Allen]

I am reluctant to post a virus alert on this forum because the great majority of them are hoaxes and I'm afraid if I post one people will think virus alerts are welcome here and start posting every hoax they get in email or see posted somewhere -- so, first this policy statement:

The great majority of warnings about viruses and other dangers are hoaxes. Please do not post any off-topic warnings about anything on this forum unless you find confirmation on www.mcafee.com or www.symantec.com for virus warnings, http://www.urbanlegends.com/ or www.snopes2.com for other warnings (Gang Inititiation Murders, Kidney Thieves, AIDS-Infected Needles, anything like that).

Please note that a statement in the forwarded email or post that the information therein comes from one of the above sources, or from Microsoft or AOL or Mortimer Snerd or wherever, is not evidence that the information therein comes from one of the above sources or from Microsoft or AOL or Mortimer Snerd or wherever. Please do not post any warning unless you have personally gone to one of the websites above and confirmed it is not a hoax.

Now with that out of the way ... I received the same virus from two forum members in the last few minutes. No harm done; I run Mcafee and I didn't run the virus anyway; I recognized it immediately. I warned the members who sent it and I'm sure they're dealing with it, but it's probably spread to some more members in the last few minutes and no doubt will spread farther....

This one varies the subject header and the filename of the attachment (the actual virus) at random, so if you get anything resembling this don't run the file. Both messages had the same text:

Content-Type: text/plain; charset=ISO-8859-1
Content-Disposition: message text


Hi! How are you?

I send you this file in order to have your advice

See you later. Thanks

One was headed "To Henrietta" and the attached file was named "To Henrietta.doc.bat

The other was headed "sidecard" and the attached file was "sidecard.doc.bat"

If you get anything that resembles that don't run the file. Update your virus protection now and frequently. I'll look into what to do if your computer has already been infected and post more later.

 

[Cougar Allen]

(((((((((((((((((( McAfee.com Dispatch )))))))))))))))))))))



------------------------------------------------------------
**VIRUS ALERT - W32/SirCam@MM (Sir Cam Virus)**
------------------------------------------------------------


[This message is brought to you as a subscriber to the
McAfee.com Dispatch. To unsubscribe, please follow the
instructions at the bottom of the page.]



McAfee.com has seen a large and growing number of consumer
computers infected with W32/SirCam@MM. This is a HIGH RISK
VIRUS FOR CONSUMERS. The infected email can come from
addresses that you recognize. Attached is a file with two
different extensions. The file name itself varies.


The email message can appear as follows:


Subject: [filename (random)]
Body: [content varies]



Hi! How are you?
I send you this file in order to have your advice
or I hope you can help me with this file that I send
or I hope you like the file that I sendo you
or This is the file with the information that you ask for
See you later. Thanks


--- the same message may be received in Spanish ---


Hola como estas ?
Te mando este archivo para que me des tu punto de vista
or Espero me puedas ayudar con el archivo que te mando
or Espero te guste este archivo que te mando
or Este es el archivo con la información que me pediste
Nos vemos pronto, gracias.


The virus searches for .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG,
.PDF, .PNG, .PS, and .ZIP files in the MY DOCUMENTS folder
and attempts to send copies of these documents to email
recipients found in the Windows Address Book and addresses
found in cached files.


For detection and removal instructions for the Sir Cam Virus,
click here.
-> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=2371

 

[cpirtle]

This one is indeed valid.

As a Systems Engineer I can say it has been wreaking havoc on my exchange servers since Friday. Today we got hit with it in excess of 1,500 times for a 400 employee company.

Good call Cougar

 

[Ron Andersen]

I've been receiving the "W32.Sircam.Worm@mm" worm all weekend from one certain person with a Mexican email address (ending in ".mx"). It's come in my direction over 20 times in three days from the same person.

 

[e_utopia]

Yup, just got this from two separate people.

Of course, as I'm fond of pointing out, even if I was careless enough to run programs without double-checking, I'm safe because I don't use Outlook Express for email, and it doesn't sound like this one (or 99% of the similar virii) can do me any harm.

--JB

 

[Ebbtide]

And now for
"Stupid Question Time"

Do mac users need to worry? Or is it just PC users?

I guess that would be Stupid Question-s"
Thanx,
Ebbtide

 

[Ron Andersen]

Hi Ebbtide,

Originally posted by Ebbtide
And now for
"Stupid Question Time"

Do mac users need to worry? Or is it just PC users?

I guess that would be Stupid Question-s"
Thanx,
Ebbtide

Not a stupid question. From my understanding, this worm was written for IBM computer and can do damage to a computer even if the user uses a Microsoft product (it may act differently to an MS product).

Someone who does knows more can comment in detail.

 

[tom mayo]

WOW!!!
Just got that from "DBAKER4@carolina.rr.com"
didnt know who it was from so I deleted it!!!!!!
Almost looked like he sent it on purpose!!!!!
OOOPPPPS >> SORRY DAVID!!!! I now realize the thing just forwards itself and it was no fault of yours....Im not a real wiz on this computer stuff....sorry to imply that you did something wrong.. TOM

 

[glockman99]

Wow! I received the same e-mail this morning, but since I DON'T open attachments (especially from people I don't know), I deleted the damn thing right away. WHEW...

 

[Cougar Allen]

Easy way to find out if your system is already infected: search your hard drive for C:\WINDOWS\SYSTEM\SCam32.exe -- if you find that file go to the link I posted above to find out how to clean your system.

This one is not a danger for Mac users or people who have updated their virus protection recently (July 18th for Mcafee) and of course it can't affect anyone who doesn't run the file.

Simply receiving a virus in email does not infect your system unless you have your email program set to run attachments automatically. Until recently Microsoft Outlook Express did that by default. Microsoft's approach to security is to ignore the whole concept of security until a hole is exploited. Then they issue a patch for that hole, continuing to ignore all the others. If you're running Outlook or any Microsoft software (including Windows, and including Microsoft application programs even if you're running them on a Mac) go to http://windowsupdate.microsoft.com/default.htm frequently and always install anything that says "critical update" immediately. Frequently. It doesn't cost anything and they can't tell if your software is pirated.

Personally I would not run Outlook if Bill Gates paid me to, and I wouldn't even have Microsoft Word on my hard drive (it's dangerous even if you never run it) but that's just me ... well, actually it's a lot of other people too ... but not everybody ... unfortunately.

 

[Jake Evans]

I got the same two yesterday, I deleted them as soon as I saw they had attachments. They were gone so fast my McAffe didn't even react. I also got one a while back from a forum member in the Netherlands that was with a knife pic, luckily my anti virus protection saved the day. I informed him of the problem and asked he not correspond with me until he fixed the problem. I still havent heard back from him.

 

[Cougar Allen]

This and other viruses that spread by email usually come from people you know. When they infect a computer they send copies of themselves to everybody in the address book. Somebody whose name doesn't seem familiar might have your address, but most of the people who have you in their address book are people you know....

Whoever wrote it sent it deliberately, once, and some people might be deliberately sending it to people they don't like, but presumably they would have sense enough to disguise who's sending it a little -- so don't get mad at whoever sent it to you; it's very unlikely they did it deliberately. The two people who sent it to me certainly didn't do it deliberately; they're both nice people.

 

[cpirtle]

Sorry guys, if you think you're protected because you don't use Outlook, Outlook Express or Word, you're not.

This virus is a Worm and is distributed by attachments to an e-mail. When you launch the e-mail attachment the worm executes and then does its damage.

I won't go into what it does here but if you're really interested here is the place to find out more about it.

http://www.sarc.com/avcenter/venc/data/w32.sircam.worm@mm.html

FWIW, the only reason Outlook, Outlook Express and Word are the most commonly hit programs is not because of the weakness of the software. It is because they are the most used products in the world. Hackers get their kicks from seeing their name in the papers, you surely are not going to accomplish that by hacking a Mac, or Pegasus Mail or some other less used product.

Also, the people that should be least worried about this particular virus are the home users (not that it can't do damage, just not as much). This virus was primarily designed to travel across a network via mapped drives and do damage across a LAN or WAN. When you clean it from one machine it's already on to another, that's why it's important to have updated virus software on servers as well.

For all of the anti-Microsoft people this problem affects Novell Netware as well. Oh yeah, and for those of you using Linux, you're not safe either. Not if you're using mapped drives.

Just to keep the flames at a minimum I must state that I am not died-in-the-wool Microsoft fan, I work on a network with both Novell & NT and have certifications in both.

 

[Cougar Allen]

Of course it's true that more viruses are written to attack Windows and Unix systems because they're more popular. Mac users bragging that their computers are less likely to be attacked by viruses is kind of like me bragging my car is better than yours because nobody's likely to vandalize it ... because it's so ugly already nobody would bother....

That does not excuse Microsoft's attitude to security, though. No other email program has ever come with the default setting to run all attachments automatically. No other word processor has the holes or the backdoors or the secret signature code Microsoft Word has, either.
Some flavors of Unix have some pretty bad defaults for security, too.

 

[george tichbourne]

Had one of those today, didn't open it because of my policy of opening nothing that I am not expecting. Carol emailed the web master of the originating company to inform him of the infection.

 

[Gary W. Graley]

Got one today as well, from David Baker....didn't look like his style of wording and I am pretty anal about opening ANY attachments anyway but out of curiosity I did the virus scan on it just to see and POP it was a badden, I called Mr Baker as we have communicated in the past but it's been a while, he was very surprised as he hadn't sent me anything! So he was going to check his computer tonight and run a virus scan on it, just in case. But from the sounds of it, it must have come from someone else anyway!

G2

 

[Chris "Anagarika"]

I just saw today in my hotmail there were may undelivered mail from System Admin, as if I was the sender. The mail sent was supposedly with subject: This is a test
I didn't send to any and those are unknown addresses to me.

I alerted MSN because I suspected thier mail servers were infected and somehow the some virus got into it and start forwarding to the address book on the server.

So, if anyone has HOTMAIL account, be alerted.

BTW, I work on the technology side of the business, so although not an expert and have no certificates, I understand the underlying technology of this.

 

[e_utopia]

cpirtle, name one of these worms which would work with Netscape (for example). It's not that it is impossible for one to come along, but in all the time this has been happening, I have yet to hear of even one which will.

And Netscape at least gives you the option to open or not open attachemnts - Outlook automatically runs VBscript attachements. Additionally, unless you get into the settings and change it, Outlook hides known extensions, so you might see 'knifepic.jpg' when, in fact, the real file is 'knifepic.jpg.exe', but Outlook hid the '.exe'

In other words:
Netscape and similar = marginal security, at best
Microsoft = "Security? We don't need no steenkin' security!"

--JB

 

[cpirtle]

I knew it wouldn't be long before some Anti-Microsoft person came around.

Point 1: The worm in question will work on any "IBM" compatible machine that launches the attachment. It does not matter if you're using Netscape, Outlook Express or any other mail program. That is one example I can give without looking. In fact, I have Netscape users who are infected with this virus.

Point 2: Outlook Express has not automatically run vbs files in several releases. Outlook has never run attachments automatically. In fact, Service Release 2 of Office 2000 disables just about every type of file attachment, including all types of virus carrying files.

Point 3: Outlook does not hide file extensions, period. The problem you're thinking of arises when the file name is too big to be displayed. Example, the "I love you" virus used to send a link that would read something to the effect of I.Love.you.please.look.here.jpg.vbs. If you looked at the message in the preview pane there was not enough space to show the full name of the file, you had to first click the paper clip attachment to see the full name, or try to save the file to disk.

The best way to recognize it is that, you can look at the icon and tell that it does not match the icons for other file types on your computer. Everyone knows that a word file has a specific looking icon the same as a jpg, pdf, XLS, etc. Well, a VBS file also has a very specific icon. These icons appear the same no matter what software you are using because they are controlled by the OS not the application.

Point 4: This particular virus does not even use VBS as it's transport method. It is randomly picking files that it can attach to on a victims computer and e-mail the files out. These files include DOC, Bat, Pif, Xls, PDF etc. Not all of which are even Microsoft files. So even if someone was using an older version of Outlook Express it would not make a difference.

How many more points do I need to make before you will admit that your post is more based in bigotry towards Microsoft than actual fact? It's not that they don't hit Netscape, it's that Netscape makes up about 5% of the browser market so why report on it?

I can understand people don't like Microsoft, I'm not their biggest fan at all times either, but it grates me that people make baseless quotes and statements that they cannot back up and then other people who readily admit they don't know much read that and take it as fact.

If I told you Sebenza's were garbage because they were not true customs, you would laugh at me, I would laugh too, I have 3 of them. But if some FNG read that he may take it to heart and never buy a Seb, possibly missing out on one of the finer things in life.

But you know, I think Chris Reeve gets maligned by many the same way Bill Gates does only on a smaller scale. You know why? Because both are arguably the pinnacles of their industry and they will always be attacked by people who are jealous of what they accomplished.

Flame away, all I tried to do in earlier posts was help people understand the nature of this virus, not attack or defend Microsoft.

Otherwise, have a great day

 

[e_utopia]

#1 - everything I've seen says that this worm uses the Windows address book to send itself - Netscape has a separate address book....

#2 - I have watched Outlook Express run vbs files automatically. Maybe this has been fixed in newer releases, but many (if not most) users still run older versions.

#3 - Outlook Express (in every release I've ever heard of) hides any file extension that Explorer hides (Windows Explorer - not Internet Explorer). They use the same list.

#4 - again, I have yet to heard of this virus being spread by a machine which had Outlook Express disabled from sending.

With every release of Windows, more security evaporates, and more bugs appear. Most service technicians I know will not even touch any machine running Windows ME. Others charge a premium to do so, and will offer to waive it if the user allows them to replace ME with '98 SE.

In other words, Windows is not the Sebenza of the computer industry - it's the HSN special.

--JB