Smart social engineering helps virus spread

As of this writing, my computer's trash can contains 18 e-mail messages received since July 17 from 13 people containing the Sircam worm, in its various guises, both in English and Spanish. As I have written previously, I am not particularly fond of antivirus software and, although I realize its importance and usefulness, I do not have such software permanently active on my system. It wouldn't have been useful in this case as the virus spread more rapidly than the antivirus countermeasures, as so often happens. What I do rely on is this rule: I do not open messages from unknown senders or those that have unexpected attachments.

This time, however, I confess I had a hard time resisting the temptation. This worm employs such a variety of deceptive techniques that even wary and vigilant computer users might fall prey.

First trick: The worm is bilingual. If you live in an English-speaking country, you'll probably receive its English version. However, if you live in Latin America or Spain, you'll probably get the Spanish version. This is just a statistical probability, however, as the Internet has no national or language boundaries. But the differing versions increase the chance the worm will spread. I have a top-level (not national) e-mail address, and my trash can has eight Sircam-infected messages in English and 10 in Spanish -- a fairly proportional distribution, for such a small sample.

Second trick: The worm is loquacious. Besides being bilingual, each time it reproduces, the worm displays a different set of catchy, click-inducing phrases: "I send you this file in order to have your advice" or "I hope you can help me with this file that I send" or "This is the file with the information that you ask for." But it is easy to catch, if you know that the first and the last line are always the same. "Hi! How are you?" "See you later. Thanks." Casual enough, however, to make you think that they come from an old acquaintance.

Third trick: A different subject line and attachment each time. This is probably the most deceptive and one of the most dangerous features of this cunning worm. Each time, the worm selects a different file from the infected machine and attaches itself. Then, it copies the file name (without extension) to the subject line. My trash can contains four messages from a certain "Johana C.," each with a different attachment and subject line: "CK," "Jobs and Professions," "Tegucigalpa." "Cooperativa."

Fourth trick: The worm keeps an innocent-looking file extension (.txt, .jpg or .doc) and it adds an executable extension of its own (.exe, .lnk, .com or .pif). This dangerous executable extension, however, is often hidden by the Windows operating system. This one is well known already, as it has been used by a variety of worms, since the infamous "Love letter."

The worm has several names: Sircam.A, W32/Sircam, or Sircam.worm@mm. According to security experts, the worm continues spreading at an alarming rate after first being discovered on July 17. By now, the infection has reached about 95 countries and computers totaling in the hundreds of thousands. Symantec Inc. has upgraded the threat level of Sircam from 3 to 4, due to its increased rate of submissions, according to Symantec's Web site. A Monday report from the specialized ISP MessageLabs anticipates continued spreading, mainly in the Americas, Great Britain and Spain.

The worm "is having a specially high incidence in Spanish speaking countries, helped by the fact that it 'speaks Spanish', and the infection rate is now higher than the well known Hybris and Magistr worms," said security expert Bernaro Quinteros, head of the Spanish site Hispasec.

The malicious payload of the worm is dangerous, especially for users of the international date format (day/month/year), as it is programmed to "consider" the erasure of the entire contents of the victim's C drive on July 16, according to Quinteros, or on Oct. 16, according to the Symantec web site. There is a 1-in-20 chance of this effectively occurring, as the cunning worm "throws the dice" -- that is, it executes a randomizer routine -- on the designated date, to see whether to erase the disk or not. The fact that for now the erase action is limited to systems using the international date format reinforces the suspicion that the worm was created in a Spanish-speaking country. However, this could be changed in a future version of the worm, increasing its danger.

The worm presents other dangers:

-- SMTP (Simple Mail Transfer Protocol) server overload. As the worm chooses at random any of the victim's files, often very large files are transmitted and that can clog up networks. "Because this worm attaches a file of arbitrary length to itself, it can cause denial of service attacks on the message recipient," MessageLabs said. "This results in large files being mailed out by the worm, causing bandwidth problems for sender and receiver. The largest file we have stopped so far was 107 Mb."

-- Compromised confidentiality. The worm behavior allows the random spread of any type of files, including highly confidential ones, that are chosen at random by the worm. "I have personally received samples with sensitive corporate files that are very easy to display," Quinteros said. "It is just necessary to remove the virus code lines that are inserted at the beginning of the file in order to get the original file."

-- Hard drive congestion. After having reproduced itself many times, the worm enters into a self-reproducing mode on the same computer, that slowly fills up the victim's hard drive. Eventually, the whole system will stop working.

-- Network congestion. The worm is "network aware." It can explore the LAN and propagate itself to networked computers, even if they are not directly connected to the Internet.

-- Extensive changes to the Windows registry. In order to control its own behavior, the worm creates a Registry key of its own, and it modifies another one that allows it to run each time Windows runs and to attach itself to executable files. "When I realized what was happening I immediately downloaded the Norton updates and eliminated the virus. But the havoc it wreaked is still there: I can open no programs -- none -- directly, but instead must click on files to start my programs," said Alan Hynds, a Mexico-based translator, who opened the attachment on Sunday morning. "(I'll have) a technician come this afternoon to reformat my hard drive."

Worm and virus writers are continually topping themselves. The yet unknown writer of Sircom has cunningly combined effective computer programming with social engineering and bilingualism. Antivirus software, by its very nature, always comes somewhat late. What else is there in the works, lurking in the dark? We are in for more nasty surprises.

Join the newsletter!

Error: Please check your email address.

More about HispasecMessageLabsReFormatSymantec

Show Comments