Re: Sircam

From: Pete Sherwood (petersherwood@home.com)
Date: 07/27/01 

Message-ID: <013f01c116db$ff9b47e0$0d01a8c0@sherwood>
From: "Pete Sherwood" <petersherwood@home.com>
To: "Stan Lee (OBU-MY)" <Stan_Lee@trend.com.tw>
Subject: Re: Sircam
Date: Fri, 27 Jul 2001 16:37:47 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ----- Original Message -----
From: "Stan Lee (OBU-MY)" <Stan_Lee@trend.com.tw>
To: "Dom De Vitto" <dom@devitto.com>
Cc: <vuln-dev@securityfocus.com>; <SECURITY-BASICS@securityfocus.com>
Sent: Friday, July 27, 2001 12:08 AM
Subject: RE: Sircam

> Hi all,
>
> do you guys think that scanning and cleaning is what you need you do for
> this virus??? [snip]

YES! Anyone who does not would be foolish! Are you suggesting that people
NOT do this? I'm having a hard time figuring out why you would say this.

> [snip] What if i suggest to STOP the coming of this virus at all????

Good idea. However, since the explanation of SirCam [falsely called
"troj...", it is NOT a Trojan!] on the Trend Micro web site fails to
include the date Trend received their first sample, the date and time they
created their first signature for the malware and any dates/times they had
to update the signature because the original signature failed to catch
something missed the first time it was analyzed, I personally find the
Trend information less than adequate. Personally, it does not instill
confidence for me. I want/need that information in order to do my AV
Analyst role effectively!

> You should use a solution that sit on the internet gateway, right after
> the firewall, to STOP all troj_sircam.A at the gateway..

Would you allow people to have Anti-Virus / Anti-Spam on the SMTP gateways
or does it have to be "right after the firewall"?

> for more detail please visit Trend Micro's site at : www.antivirus.com

Feels like an advertisement for Trend's products to me.

I also find the article(s) on the Trend site inadequate. It fails to state:
1) the malware sends up to 8,000 email messages
2) comes with English subjects and Spanish bodies and vice versa
3) scans entire networks (not just shares the system knows about) looking
for vulnerable systems

I didn't go any further than that ....

> Stan

[snip]

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO2HQ67omytMtxLfsEQKe5wCfUHtu5dpdBtPRQCl5rzOkD5G+0JMAoNj1
ACeJookUGncG374A3Yq/jF/N
=B1qS
-----END PGP SIGNATURE-----