Dangerous worm strikes unprotected businesses

by David Kelleher

A dangerous worm which is being considered as an “industrial espionage worm” could prove to be
highly damaging to unprotected businesses, the Malta Business Weekly has learnt.
Two anti-virus companies told this newspaper that the Sircam worm, also known as W32/SirCam-A, steals commercially sensitive or personal documents from infected computers. It then forwards these files to all of the infected users’ email contact.
A spokesman for Sophos, represented in Malta by Shireburn, said that Sophos has already received over 200 reports of the worm from corporates and predicts it may be one of the year’s hardest-hitting viruses.
“This worm is capable of “scooping up” documents and spreadsheets from your hard drive and forwarding them to everyone in your address book,” said David Catania, marketing manager of Shireburn, local distributors for Sophos.
“Your credibility could be ser-iously compromised if personal or highly sensitive documents end up in a competitor’s inbox. Users should keep their anti-virus protection up to date and be wary of all unsolicited attachments if they want their
integrity to remain intact,” he said.
A spokesman Technology in Management (TIM Ltd), sole distributors for McAfee, said many local users had received dozens of copies a day.
“Its infection routine cannot only compromise confidential material on your system, improper removal can cause an inability to launch any .EXE (including program files) on your system,” he said.
The worm has a malicious payload (action) on the infected system. In one out of 20 cases, on 16 October it will delete the contents of the local drive on which Windows is installed. In one out of 50 cases, on any day of the year, the SirCam virus will create a file in the hidden \Recycled\ folder named sircam.sys and repeatedly append test strings in that file until the hard drive space is filled to capacity.
According to McAfee, the SirCam worm spreads via email in either Spanish or English. A considerable number of Maltese users are believed to have opened the virus.
Great care should be used when removing the virus manually. Because of the manner in which the worm registers itself on the system, any attempt to launch an .EXE file (including program files) will result in a call to the worm which will in turn pass control to the .EXE file.
“While manual removal of the worm is possible, proper precaution is imperative. If the worm file is
deleted without first making the necessary modification to the registry, .EXE files will not launch on the system, effectively rendering the system unusable.
Malta-based GFI, developer of Mail Essentials for Exchange/SMTP, an email content checking and anti-virus solution, yesterday warned that because the SirCam worm can
disguise itself by morphing and adopting different Subject lines each time it spreads, anti-virus protection alone is not enough.
“The current assault by the new SirCam email virus – a fast-spreading destructive worm – is a fresh reminder that organisations can only be safe against email attacks such as this if they have installed an email content checking gateway at email server level,” GFI said.
“This latest development in the sphere of harmful email worms highlights the need for full corporate protection against email attacks and viruses,” stressed Nick Galea, GFI CEO.
“The fact that the SirCam worm is more sophisticated and less definable to the user because it morphs itself means that organisations must apply safeguards against viruses at email server level.”