Lately, I've been getting E-mail with attachments sent with different sender names. This is my third one now. The sender e-mail this time was ""Slayer"<slayer@slayer.screaming.net>". This person is sending a file attachment that's been infected with W32.Sircam.Worm@mm VIRUS. Fortunately, it was detected right away by my system. Just be careful all of you! http://www.sysopt.com/forum/wink.gif

Juss wondering... what anti-virus program did you use to detect it?

NAV2001

Thanks.

Yeah I got a few the last couple days, too.

I reply telling them they're infected with SIRCAM, they're spreading it and send a link to the relevant Symantec sircam site...

After getting four more from the same person, I added her to the Block Sender list.

Excellent advice here, especially as Sircam variants seem to be on the rise.

Personally, I haven't been infected yet, though many have tried. BTW, I use no active AV scanning.

Robert Richmond

Is there a special reason why you don't use auto-protect, Rob?

[This message has been edited by NDC (edited 08-21-2001).]

Not really, I just use the common sense to email attachments. If it is not in an acceptable file format from a trusted source, then it goes straight to the multipass DOD approved file deleter.

Robert Richmond

Sircam is easy to spot because of multiple extensions. Last week I got over 50 of those emails, until I finally got some of my friends to clean their systems. I was getting 5 or 6 from each person daily http://www.sysopt.com/forum/frown.gif Yahoo mail is great at weeding out virus in emails to http://www.sysopt.com/forum/smile.gif

We got Sircam sent to our webmaster email address, I replied to the guy saying he sent us a virus... he had NO clue how it got our email address!

I didn't open it, I've worked tech support long enough to see a few donkeys opening these files to be able to spot them.

Not to mention the topic was pretty funky anyways "I have a few pictures could you please look at them for me" huh!?!? lol

And as wyvern said, the multiple extensions are a dead giveaway (MAKE sure you have "Show file extensions" or whatever it is checked!!)

When it came here, it came with a .jpg.pif extension. (I believe)

It appears that they can come in all types of extensions. Most of them seem to have the *.doc extension though...Mine were always DOC.

I had gotten .doc.pif, .doc.bat., .doc.exe, .doc.com, and so on. Yahoo always shows the file extensions and has a virus scanner, which is a major reason I mostly use web email. Usually the people don't know they are sending the email to you, the virus checks the address book and performs the service free of charge http://www.sysopt.com/forum/smile.gif

It doesn't just send them to people in your address book!

Say you got an email from joeb@hotmail.com.(these are all sample emails) JoeB however did not send this email to just you. He also sent it to jacks@hotmail.com, fredp@yahoo.com, and dannyt@yahoo.com. Now lets say you get the sircam virus from somebody. Well, what it does now is it goes through your emails, and sends the virus to not only joe, but also jack, fred, and danny. Whether they're in your address book or not doesn't matter. Sircam doesn't care.
Thus it can send your files with the virus to people you have no clue who they are. Pretty appealing to have your credit card number sent to hundreds of strangers, eh? It's happened.

That is strange because I haven't gotten any "funny" attachments in any of my e-mails...YET

Mike Just so you can say you got one I will be happy to forward a few on to you if you would like them http://www.sysopt.com/forum/wink.gif

Is there a special reason why you don't use auto-protect, Rob?
Because, HE is a man who flaunts with danger, a man who walks on the edge with no fear.. http://www.sysopt.com/forum/wink.gif

Actually everyone is talking about suspicious attachments,, but what the heck is it? *.what? *.die? *.dip?
It's not *.exe so what is it?

You should be careful with any attachments. I just cleaned this thing from four 'puters at work. If it's a worm, it automatically sends itself. It may come from a trusted source. Also, some of these are also coming in as "Unable to deliver" or "Destination unreachable". Pretty sneaky, because most people would not hesitate to open one of these.

Because, HE is a man who flaunts with danger, a man who walks on the edge with no fear..

Thats the kind of guy that gets cool chicks http://www.sysopt.com/forum/wink.gif LOL

Sircam also scans all of you cached web pages for email address and sends itself to those people, not to mention the fact that it can infect other computers on your network that have open network shares. However, I believe it only affects win9x machines. Nt/2000 boxes are unaffected.

to add to the list of extensions(as mentioned by wyvrn), I've also seen *.doc.lnk, as well as *.xls.bat/com/exe/pif/lnk

I like to say: if you don't know who it's from, what it is, or if it looks suspicious, get rid of it!! but, I also believe it's human nature to be curious, so sometimes people just click away!!

seems like I'm similar to RobRich, I have McAfee installed and updated, but its never running!! I only use it if I feel I need it!! http://www.sysopt.com/forum/smile.gif ...I hate background apps!!

ciao!

I'm one of those that never opens any attachment that I do not know who or why it was sent to me. If it has a double extension, it is deleted immediately, and the return addressee is informed that they are infected.

Before I upgraded to NAV 2001, I have had ZoneAlarm catch a couple...that was good, but I would not have opened them anyway. Now that I have NAV checking mail during D/L, it has caught several.

I don't care for the background apps running myself, but I am one of the old farts that was taught many years ago that an ounce of prevention is worth a pound of cure.

I have never ran an active scan engine on any of my systems, ever. I do good to actually run a file scan every few weeks.

BTW, I really enjoy the nearly 20 viruses and trojans sent to my mailbox since my last post. To whom it concerns, better luck next time..... http://www.sysopt.com/forum/wink.gif

Robert Richmond

[This message has been edited by RobRich (edited 08-23-2001).]

Tahnks for the heads up NDC, and everyone else, my sisters would probably open it if I didn't know about this http://www.sysopt.com/forum/smile.gif.

P.S. Whats a double extension?

Thanks,
Hawkeye178

Active scanning is a must. Without it, simply previewing a message can run vb scripts that can give you a virus. It's just not responsible to not use AV software...Rob...You hear me?

Even if your lucky and no virus gets through...you might end up visiting a LAN party, and some slob is running a virus that finds and uses available hidden share access to distribute itself, your hosed.

Robrich...I am saying you should really consider using an AV program.

RobRich,

I have a simple question. Since you openly boast you don't use an AV, are there people out there intentionally trying to infect your system now?

Sircam also scans all of you cached web pages for email address and sends itself to those people,
Is that something that works with all email programs? I know with mine Pegasus I always know what's going out, because it tells me how many I have in cue. I then choose when to send.
Wouldn't virus attacks to any email addys be in line like everything else?

These policies have been violated only a few times, and strangely, those were the times that viruses appeared.

http://www.sysopt.com/forum/biggrin.gif http://www.sysopt.com/forum/biggrin.gif You mean those were the times people got caught because they did have a virus http://www.sysopt.com/forum/wink.gif http://www.sysopt.com/forum/biggrin.gif

Speaking of spreading accross a LAN, make sure if you are networked on a LAN, you either disable file sharing (if possible), or at very least passsword protect any shared drives. This is how SirCam spread here at my work. One person got the email, and it found it's way to three other boxes. Oops!

Another one from Andre Waldon"<waldons4@earthlink.net> to add to the WANTED LIST! http://www.sysopt.com/forum/biggrin.gif

It's always the same message!

Hi! How are you?

I send you this file in order to have your advice

See you later. Thanks


P.S. Whats a double extension?

2001 Ad Campaign.doc.bat

Here's a perfect example of what a double extension file would look like. Please do thank Andre for sending me this sample file! http://www.sysopt.com/forum/wink.gif

NDC and I have recieved similar emails containing the SirCam virus.

Beware of any message containing the text;
Hi! How are you?

I send you this file in order to have your advice

See you later. Thanks

Mine had the file eepedit.zip.pif attached. but SirCam has many variations.

Check out this PCWorld article about SirCam
Sircam Worm: Crawling Fast but Easily Crushed (http://www.pcworld.com/news/article/0,aid,56284,00.asp)

[This message has been edited by Fingers (edited 08-25-2001).]

I got two this weekend from Susan Irlbeck <KKAZALA@nc.rr.com> with the same message as above. Each had two attachments, one with a .txt and the other a .dat extension. Even though I have McAfee running all the time, they looked suspicious so I ran a manual virus scan. Sure enough, it said they were infected with the W32/SirCam@MM virus. I think this is the first time that I've ever had a virus emailed to me. Unfortunately I'm sure it won't be the last... http://www.sysopt.com/forum/frown.gif

Well, you can add me to the receipent list! http://www.sysopt.com/forum/frown.gif I received an e-mail from someone I don't know with the attachment "NDEdit.exe"! Needless to say, it was the "PE-MAGISTR.DAM" in disguise!

It didn't get far before it was eliminated (no infection) thanks to PC-cillin! http://www.sysopt.com/forum/biggrin.gif I did reply back to let them know they'd sent it and how to get a "FREE" house call from the Doc. I just hope their system survives long enough to save! http://www.sysopt.com/forum/wink.gif

Harder

For all those who suspect they might have the SirCam virus, Norton (http://www.norton.com) has an easy-to-use SirCam removal utility available for download. I'm not a Norton person - my PC-Cillin works great at home - but this utility came in handy at work.

Apparently the SirCam virus will also mix and match the name and ISP portion of the email address - for example: if my address was Joe@yahoo.com, and one of the people in my address book was Ray@hotmail.com, Sircam may change my (the sender) address to Joe@hotmail.com. We saw this phenomenon many times at work.

And yes, it travels across open network connections. All you have to do is put a simple password on them and it's stopped. I had an open connection at work - for simplicity. Now it's password protected - no secret though...the password is the same as the computer's identity. This just prevents SirCam from travelling.

One thing for you to tell others that you know are infected: Make sure they clean out their browser cache, even if they can't delete the virus immediately. If you're getting multiple emails from the same infected person's computer, chances are that their own email address shows up in either their address book (some people do this for some reason!), the To field in other emails that SirCam scanned through, or on a website stored in their Temporary Internet Files folder.

And DON'T use Outlook Express! There is virtually NO security for VB scripts in emails...ESPECIALLY if the preview window is used. Personally, I use Eudora at home, and we use Pegasus at work. Haven't had any problems with either of them.

And as for the title of this thread...most Sysopt members DO have the common sense to "Watch what you(they) get in your(their) E-mail"!! http://www.sysopt.com/forum/smile.gif

Many of people have got viruses in attachments in our institute last week, but all of them were succesfully detected by AVP monitor. AVP couldn't kill them automatically, therefore it was necessary to delete all messages manually. But the final result of using AVP monitor is stable system without infected or damaged files. And what will be without it - most of users would open the attachments and activate the virus. And virus program would make things like deleting both of the HDD FATs and flashing the BIOS. And the final result - at the best - many hours of work to restore the system, in the worse - good-bye many years of work.

[This message has been edited by Mosc (edited 09-04-2001).]

why would you open anything from anyone you don't know?

I had the same problem with getting Sircam sent to me.

If you are using Outlook Express, there is an easy fix.

Simply create a message rule, where if the message body contains "I send you this file in order to have your advice" to delete it.

Works Great.

A lot of you are talking about different AV-Programs they use to detect/delete new viruses like the SIRCAM virus.
I bought Panda Antivirus about 2 years ago with an update permission of 1 year. I would have to pay a not so small fee to get another year of virus updates.
Does there exist any FREE antivirus which updates frequently? Would help a lot.
Oh, and I received a spanish version of the Sircam. Its sitting right now in the trashcan :-)

I am on the webmaster list on a UNIX box for a pretty-well visited school site. We got a few of these, but majordomo thoughtfully tries to add the attachment at the bottom as text, which doesn't work too well with word documents http://www.sysopt.com/forum/smile.gif

It sure does make for a LONG email, though, when you have PAGES AND PAGES of gibberish at the bottom.