Preventing SirCam From Worming Through Your Server
This time of year is perfect for fishing, especially for me. And it's not just because the ice is melted and I'm an open water fisherman from Wisconsin, but also because I administer servers.
Every day for the past week or so, I have received 25 to 30 e-mails in my inbox that all begin the same: "Hi! How are you?" Most likely you too have received these e-mails, and if you haven't you've probably seen them documented somewhere.
For those who have not yet seen W32Sircam, we describe the latest widespread e-mail virus (disseminated in Spanish as well as English). The subject line of the infected e-mail is random, based on the name of the file that is attached. The body will resemble this:
|First Line||Hi! How are you?|
|Random Possibilities for second line||I send you this file in order to have your advice
or I hope you can help me with this file that I send
or I hope you like the file that I send you
or This is the file with the information that you ask for
|Last Line||See you later. Thanks|
These e-mails, and others like them, are the product of an e-mail-based worm -- AKA a server administrator's worst nightmare. Usually worms are bait for fishing, and on languid sunny days I think of worms in such a way. However, my job requires me to seek and destroy the most friendly of fishing annelids that pass through my server to clog up bandwidth and cause potential security breeches.
|Recent Security Stories|
|Death. Taxes. Virus Protection? 8 Keys To A Sane Security Strategy Viruses A Weak Threat? Think Again|
What makes SirCam particularly potent is that it is a worm with its own SMTP engine, and it loves to spread like wildfire. SirCam sends a random document from the user's PC with a file extension added to it, .bat, .com, .lnk or .pif. Once a PC is infected, it will search for networked computers and spread itself through Windows file sharing. Typical virus scanners are not equipped to stop it from spreading.
The worm will not run indefinitely; after running 8,000 times, it will stop functioning on the host computer.
Thus, SirCam is becoming as big as "I Love You" or "Melissa" in terms of infection. Symantec has upgraded this worm's threat level to 4 on a 5-point scale.
Adding to the potential damage is that users whose PCs are infected with the worm have a supposed 1 in 20 chance of having their hard drives wiped on October 16, 2001, if they use a Day/Month/Year format for dating files.
Preventing the Damage
Obviously, prevention is the best medicine when dealing with worms and other virus types.
Most importantly, DO NOT open any attachments that come with an e-mail that says "Hi! How are you?" and make it clear that users SHOULD NOT open any such messages.
In addition, like with all with mass virus scares, it is important to update your virus scanners with the most recent virus definition files. Generally, these definitions are available on the Web site of the vendor that developed the virus scanner. Almost all major vendors already have a virus definition file that will detect and eliminate any instances of SirCam. However, these will not fix an already infected system.
GFI offers a virus scanning solution aimed toward future similar infections: an e-mail content checking gateway at the mail server level. GFI claims its solution is capable of warding off SirCam and other similar viruses.
If your organization should get infected by SirCam, the removal process can be nerve racking and hair splitting. Manual removal requires knowledge of DOS commands and file attributes. A complete guide on how to remove SirCam can be found at http://www.antivirus.com/vinfo/virusencyclo/default5.asp?Vname=_TROJ_SIRCAM.A.
Antivirus.com offers a DOS program file that will do most of the dirty work, including scanning and file deletion.
If you're really pressed for time, programs are available that will remove a virus or worm from your system. I find that in the long run, however, it is far more effective to invest money up front in preventing viruses, as that reduces the time required for removing them and other costs on the back end.
This story first appeared on ServerWatch, an internet.com site.