FAQ: What you need to know about SirCam

CNET News.com answers common questions regarding the SirCam worm, including what to do if you receive infected messages.

David Becker Staff Writer, CNET News.com
David Becker
covers games and gadgets.
David Becker
3 min read
CNET News.com answers common questions regarding the SirCam worm.

What is SirCam?
SirCam is a malicious program with characteristics of a worm--a self-propagating piece of destructive code--and a virus, a malicious program that attaches itself to other files. It also has qualities of a "Trojan horse" in that it poses as a harmless file.

How can I tell if a message I receive is infected by SirCam?
All SirCam messages arrive with an attachment and an e-mail subject line, but these are different for every SirCam message. That's because each time the SirCam worm infects a computer, it randomly plucks a document from that computer and sends itself out with the document attached--drawing the e-mail subject line, and the name of the attachment itself, from the title of the pilfered document.

Each virus-carrying message contains the same text in the body of the message, however. The first and last lines are "Hi! How are you?" and "See you later. Thanks" in the English version of the message and "Hola como estas?" and "Nos vemos pronto, gracias" in the Spanish version.

How dangerous is SirCam?
The main threat posed by the worm is possible security breaches from its propagation method. By attaching randomly chosen documents to itself, the worm could share confidential information with others.

SirCam also can perform several destructive acts based on a combination of arcane PC settings and chance. If the infected PC uses the European date format (day/month/year), for example, there is a 1-in-20 chance the worm will delete all files and folders on that computer's hard drive on Oct. 16.

Who can be infected?
Any PC running Windows 95, Windows 98, Windows Me, Windows 2000 or Windows NT. Due to an apparent flaw in the worm, however, SirCam cannot replicate itself on Windows 2000 and Windows NT systems.

What should I do if I receive an infected message?
Delete the message, then check to see if your PC is infected. Locating and removing the infection on your own is a relatively complex process, as detailed in a McAfee document.

The easier approach is to use the automated SirCam detection and removal tool available for free downloading from antivirus-software maker Symantec.

How can I keep SirCam messages from flooding my mailbox?
If your Internet or e-mail service provider screens incoming messages, your mailbox should be safe, although Hotmail users have reported that the service's virus filters have failed to catch SirCam.

For those who use unfiltered services--and for unlucky Hotmail users--you're on your own. Install antivirus software on your PC, keep it updated, and set it to screen your e-mail--at least infected messages won't be able to deliver their payload.

Most e-mail programs also allow you to set up rules for incoming messages. Using a tool such as the Rules Wizard in Microsoft Outlook, for instance, you could set up a rule that all incoming messages with the body text "See you later. Thanks" are moved to a separate folder, where you can easily delete any suspicious entries.

What will happen to the creator of SirCam?
Probably nothing. An FBI representative said Monday that she was not aware of any SirCam-related investigation. Usually only the most destructive viral outbreaks, such as the Love Letter epidemic, generate significant law-enforcement attention.