System administrators play Russian roulette with SirCam

The "I Love You" virus may have caught the world's eye, but the latest e-mail enemy, SirCam, is also proving to be no knight in shining armour.

Wrapping itself around a random file on an infected system, the virus generates an e-mail with the subject line the same as the file name. The body is filled with a cheery "Hi! How are you? I send you this file in order to have your advice. See you later. Thanks" - or its Spanish equivalent - before the virus is sent out to everyone listed in the system's address book.

Come October 16 - the virus's payload trigger date - infected systems will be thrown into a game of Russian roulette, with a 5 per cent chance of the worm deleting all files and directories on the C drive, or a 3 per cent change of it filling all remaining space on the hard disk.

More of an issue, however, is the worm's ability to randomly pluck out a file from the infected system and send it out, raising concerns about confidential documents finding their way into the wrong hands.

This week, for example, Securityfocus.com reported that at least one computer in the FBI's National Infrastructure Protection Center had been infected with the virus, resulting in a FBI file marked "Official Use Only" landing in the lap of several private-sector security professionals.

Given the familiarity of the sender and sometimes the file name, it isn't hard to work out why the virus is spreading so rapidly, as curious users unwittingly click on the attachment. Since its discovery in mid-July, SirCam has attracted a "severe" rating from security vendor Symantec, while cohort McAfee gave it a "high" security warning.

According to Pete Lindstrom, a security analyst at Hurwitz Group, relying on users to avoid opening suspect files is poor management, saying that there's "too much cutesie-wootsie stuff out there" that people want to check out.

"The lesson here is you can't expect users to learn," he said, adding that the onus for protecting such attacks should increasingly be placed on system's e-mail administrators.

However, the nature of this particular virus is making it hard to track down, because the SirCam worm can disguise itself by morphing and adopting different subject lines as it spreads, making antivirus protection alone not enough.

"If e-mail administrators aren't stopping it at the gateway" by plugging known security holes or using software that can detect and defend against such attacks, "then it's a dereliction of duty on the e-mail administrator's side", he said.

(Todd Weiss contributed to this story.)

Join the newsletter!

Error: Please check your email address.

More about FBIGatewayHurwitz GroupMcAfee AustraliaSecurityFocusSymantec

Show Comments