SirCam worm fails to reactivate

A bug in the worm's code prevents the malicious program from reactivating its payload, which had been expected to hit European computer systems Oct. 16.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
A bug in the code of the SirCam worm has prevented the malicious program from reactivating its payload, which would have deleted files on infected PCs Tuesday, according to antivirus company Sophos.

Code in the worm, which continues to spread among unprotected computers connected to the Internet, would have turned programs attempting to execute on Oct. 16 into a crap shoot: Running an application on an infected PC would have deleted all files on the computer 5 percent of the time.

The writer of SirCam made an error in the code that stacked the odds against the worm, said Graham Cluley, senior technology consultant for Oxford, England-based Sophos.

"Viruses' writers aren't geniuses, and this guy fouled it all up," he said.

The writer of the worm intended the code to have a 1-in-20 chance of deleting all files on an infected computer when the date reached the European numerical date format for Oct. 16, written as 16/10/2001. In computer programming, this is done by generating a number between 1 and 20 using a special function and, if the number is 1, running the code.

However, in this case, that comparison will never be true because the worm checks to see if the number equals 1 before actually generating the number, said Cluley. In turn, the mistake means that the file-deleting code will never be run.

Some antivirus companies--including security software maker Symantec--disagreed with the analysis and warned that the virus would activate its file-deleting code Oct. 16.

"We know that a lot of these types of viruses contain bugs that can corrupt infections, but the working samples that we have (of SirCam) convince us that there is a 1-in-20 chance of reinfection," said Andre Post, senior researcher at Symantec.

Cluley said Sophos' analysis of the code has been borne out, however.

"We have had a grand total of zero reports of a person's computer files being deleted today," he said. The worm would also try to fill up the computer's hard drive with garbage data, but that payload is also scuttled by the error in SirCam's code, he said.

Antivirus company F-Secure also identified the flaw in the worm.

Sophos' Cluley did warn, however, that other file-deleting code in the worm could execute in rare circumstances.

SirCam started spreading in mid-July and has continued to send out large amounts of worm-laden e-mail to the Internet from infected PCs running Microsoft Windows.

The worm arrives attached to an e-mail message as a file, with the file's name appearing as the subject line. If a person opens the infected file, the worm will copy itself to several locations on the PC and start its own e-mail engine to send off more infected messages. The messages will contain a random file taken from the infected PC's "My Documents" folder.

The worm also copies itself to networked hard drives.

SirCam continues to try to infect other Internet-connected PCs. More than 425,000 copies of the worm have been removed from e-mail messages addressed to customers of e-mail screening service MessageLabs. On Tuesday, three months after the worm first started spreading, the service continued to intercept more than 1,200 infected messages.

People should run antivirus software and exercise care in opening any attachments sent in an e-mail message, even those that apparently come from friends, experts warn.

Staff writer Wendy McAuliffe contributed from London.