Even as most companies now prevent their networks from spreading the bug, individual computer users continue to send out infected files.
Even as most companies have prevented their networks from spreading the bug, individual computer users continue to send out infected files day after day, with the worm piggybacking on documents ranging from confidential to comical: recipes, shopping lists and lots and lots of resumes. The result is that SirCam is still spreading two weeks after it first cropped up.
"I think this is going into a slow-growth mode, similar to Hybris," said David Perry, global director of education for antivirus software maker Trend Micro. The Hybris worm, which first showed up late last year, has continued to spread, in part because it sends out e-mail slower than the Love Letter or Melissa bugs, which shut down entire corporate e-mail systems.
Reuters reported that a Ukrainian Web site said Thursday it had received secret documents from the administration of President Leonid Kuchma, including an itinerary showing his whereabouts during the country's upcoming independence celebration.
Arthur Baker of North Yorks, Britain, said his computer was rendered unusable after he got hit by the worm on Sunday. Finally, on Thursday, he was able to recover his system by restarting in clean mode, clearing the computer's register file and running an antivirus program.
"My address book was raided, as well as other areas of my computer, and a file on my mother's property...was sent out around the world," Baker said in an e-mail interview. "I had reports of it arriving in Australia, Canada, Scotland..."
Baker even heard from someone at NASA that the agency had received the file, most likely the result of a Space Shuttle page Baker had bookmarked.
According to the VirusEye bug-tracking service run by British e-mail screening service MessageLabs, SirCam has been the most active virus in the last 24 hours, with 7,165 reports, compared with 599 incidents of the Magistr bug. A strain of Hybris ranked third, with 277 incidents reported.
The SirCam worm spreads by e-mailing copies of itself to everyone in the infected computer's Windows address book. It also sends itself to any e-mail addresses contained in the Web browser's cache files, which store recently viewed pages.
An added twist with SirCam is that it sends a randomly chosen file from the infected computer's hard drive, potentially sending confidential business data or embarrassing personal information along with itself. The e-mail subject line matches the name of the file being sent.
The main threats posed by the worm are security breaches from sending possibly confidential documents and the inconvenience of sorting through the torrents of e-mail the worm generates. But SirCam can also perform several destructive acts based on a combination of arcane PC settings and chance. If the infected PC uses the European date format (day/month/year), for example, there is a 1-in-20 chance that the worm will delete all files and folders on the hard drive on Oct. 16.
The worm is also "network aware," Symantec reported, meaning it will search for network resources and attempt to propagate itself to attached systems, making SirCam a particularly strong pest on any corporate systems it infects.
Michael R. Trent, a Web designer and computer science student at Eastern Kentucky University, said a SirCam infection caused cascading problems for him. Antivirus software deleted the bug, he said, "but with the deletion went every ".exe" (executable program) file on our computer," he said in an e-mail interview. "It destroyed our hard drive and also transferred itself to our backup disc that we burn on CD."
Perry said that SirCam, like most bugs, is unlikely to completely disappear.
"Contrary to public opinion, they don't go away because we discover detection for them," he said.
SirCam doesn't appear to be doing much damage to large companies, which are getting tens of thousands of copies of the worm but have been largely successful in preventing infection.
Nonetheless, because the worm mails itself to e-mail addresses found on stored Web pages, many media organizations are among those still battered with the bug. That's one reason Perry thinks it is still getting attention.
"Reporters are being hit repeatedly," Perry said.
Another problem is that infected e-mails often are coming from people unknown to the recipient. As a result, the sender isn't told he is sending out the bug, and the infections continue. Plus, many of those being hit are people on home PCs who don't have updated antivirus software to cure their infection. Even those who have antivirus software often disable it, Perry said.
"They think it slows down their system, and they are right," Perry said. One option he hinted at would be to place antivirus protection directly into the cable modem and DSL routers used for high-speed Internet access.
CNET News.com's David Becker contributed to this report.