"Today looks like it's going to be our biggest day yet for this virus," Mark Sunner, chief technology officer at British e-mail filtering company Message Labs, said Friday. "It should drop off over the weekend, but I would imagine we'll see a big upsurge on Monday that will probably beat this week's numbers.
"This one has a lot of staying power because it's using a multilevel approach," Sunner said.
The SirCam worm, which surfaced last week, spreads by e-mailing copies of itself to everyone in the infected computer's Windows address book. It also sends itself to any e-mail addresses contained in the Web browser's cache files, which store recently viewed pages.
An added twist with SirCam is that it sends a randomly chosen file from the infected computer's hard drive, potentially sending confidential business data or embarrassing personal information along with itself. The e-mail subject line matches the name of the file being sent.
The document feature has helped SirCam catch e-mail users unaware. Other infections, such as Love Letter and Anna Kournikova, have sent multiple copies of the same message. Each SirCam message is different from the others, based on the document it appends itself to. Even e-mail users aware of the virus may click on what looks like a legitimate message, especially if the attached document looks interesting.
"From the social-engineering point of view, the fact that it was using multiple messages--you couldn't just look for an 'I love you' header--helped keep this going," said Vincent Weafer, director of software maker Symantec's AntiVirus Research Center. "And in many cases the documents that are sent out have intriguing titles. People are going to be curious."
Indeed, SirCam-infected documents sent to CNET News.com have included such hard-to-resist titles as "SIS--cocaine business," "Madame handing over note" and "Any man of mine."
Weafer was more hopeful that SirCam has had its heyday, especially as users of home PCs--where the virus is most active now--have time to install and update antivirus software over the weekend.
"We'll see it being one of the top viruses for the next couple of weeks," he said. "But I would expect the number of infections to go down quite a bit over the next week."
Meanwhile, virus writers will be busy studying and imitating some of the features that helped SirCam spread. Besides propagating itself via purloined documents and trolling the browser's cache file for addresses, SirCam is notable for having its own SMTP e-mail program, allowing it to operate independently of e-mail software on the infected PC.
SirCam also takes its time. Instead of sending a barrage of messages all at once, as most mass-mailing viruses do, SirCam picks just one address each time it's activated, leaving fewer telltale signs of an e-mail attack.
"By doing e-mail addresses one at a time, it creates a lot of confusion about where the virus is coming from," Sunner said. "It makes this one much more surreptitious."
Expect to see virus writers copy this and other SirCam attributes.
"None of these things are new," Weafer said, "but whenever we see a virus that uses a technique that's fairly successful, it's a given you're going to see those ideas used again."