SirCam slowing but going

The e-mail worm has started to slow but continues to spew out messages and share documents.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
The SirCam worm slowed its advance Thursday but remains a threat, antivirus experts warned.

"The worst is over, but we won't see a huge drop-off yet," said David White, technical manager for British e-mail service provider MessageLabs. "It is still by far the most prolific virus that is currently spreading."

Although the weekend saw a small drop in the rate of infection, the number of copies of SirCam caught daily by MessageLabs continued to grow early this week, topping 10,000 messages on both Tuesday and Wednesday.

On Thursday, that growth stopped. Though MessageLabs had not posted final numbers for the day, it had intercepted only about 4,000 worm-laden e-mails by midday.

Part of the reason for the drop is that companies have gotten their houses in order, said Vincent Gullotto, director of antivirus research for PC software company Network Associates.

"It didn't get to outbreak status, because corporations were able to block it before it got in," he said.

The worm is a mass mailer, working in a manner similar to the Love Letter and Magistr infections.

SirCam spreads by sending e-mail messages with infected attachments. While the message's subject line varies, the body generally contains the same text: "Hi! How are you? I send you this file in order to have your advice. See you later. Thanks." A small number of messages have similar text in Spanish.

Opening the attached file on a PC running Windows will infect the victim's computer. The worm appends itself to a file randomly selected from the infected computer's "My Documents" folder and attaches that to an e-mail. Messages are sent to everyone in the person's Windows address book and to any e-mail addresses in the Web browser's cache file, where images of recently viewed pages are stored.

The virus has been responsible for leaking corporate documents, password files and, in one case, official FBI documents.

For home users, the virus is still a danger, said MessageLabs' White.

see special report: Year of the Worm "There are an awful lot of home users that have no antivirus protection today, and that can be catastrophic," he said.

E-mail users writing to CNET News.com agreed, saying the virus was clogging Internet access and sharing confidential information.

"I think this virus is being extremely underestimated," wrote one e-mail user, who had received five infected messages.

Network Associates plans to reduce its rating of the virus from "high" risk to "medium" sometime next week.