Re: Win32.Sircam.Worm Alert - Report from Argentina

• Previous message: cdowns: ".ida Win2k IIS 5.0 English No SP."
• In reply to: Kimberly Anne McKinnis: "Re: Win32.Sircam.Worm Alert....."
• Next in thread: Arturo \: "RE: Win32.Sircam.Worm Alert....."
• Next in thread: Eric D. Williams: "RE: Win32.Sircam.Worm Alert....."
• Next in thread: Meritt James: "multi-OS infections (was Re: A code red that could bring down the net?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Message-ID: <004b01c1151a$ee647ae0$1614a8c0@edumente.com>
From: "Mariano Vassallo" <anakin@edunexo.com>
Subject: Re: Win32.Sircam.Worm Alert - Report from Argentina 
Date: Wed, 25 Jul 2001 12:03:15 -0300

I think the subject is not random, but itīs the name of the document (be it
a .doc, .zip , .xls or whatever) that the worm attaches to itself before it
sends emails. In the cases Iīve seen, the subject is the same as the
attachments name.
The message asks the receipient for his opinion about the attachemnt, and
since the file comes from the senders hard disk, the receipient usually
opens it (if he doesnīt realize that the file extension is .doc.pif or
.zip.pif, and even if he does, many people donīt know what a .pif file is)
I think it also uses the .bat extension, but Iīm not sure.
Iīve seen both the english and the spanish version. If you examine the file
with notepad, thereīs a string saying it was made in mexico. I think both
versions are in fact the same, and it must be cheking windows settings to
know whether to propagate in english or spanish)
LAst thing i wanted to say is that this virus has spread in Argentina very
fast during this week (I first found it in a friends home PC on the 18th)

----- Original Message -----
From: "Kimberly Anne McKinnis" <elf@nauticom.net>
To: "rudi carell" <rudicarell@hotmail.com>
Cc: <epic@hack3r.com>; <vuln-dev@securityfocus.com>;
<SECURITY-BASICS@securityfocus.com>
Sent: Tuesday, July 24, 2001 1:25 PM
Subject: Re: Win32.Sircam.Worm Alert.....

> Actually... the subject is random. The body, however, is consistent. See
these
> sources for more info:
>
> http://www.symantec.com/avcenter/venc/data/w32.sir cam.worm@mm.html
>
> http://vil.mcafee.com/dispVirus.asp?virus_k=99141&
>
> http://www.antivirus.com/vinfo/virusencyclo/defaul
t5.asp?VName=TROJ_SIRCAM.A
>
> http://www.antivirus.com/vinfo/virusencyclo/defaul
t5.asp?VName=TROJ_SIRCAM.A
>
> http://www.sophos.com/virusinfo/analyses/w32sircam a.html
>
> http://www.europe.f-secure.com/v-descs/sircam.shtm l
>
> http://service.pandasoftware.es/servlet/panda.pand
> aInternet.EntradaDatosInternet?operacion=FichaViru
> s&idVirusFicha=1911&pestanaFicha=1
>
> http://support.centralcommand.com/cgi-bin/command.
> cfg/php/enduser/std_adp.php?p_refno=010718-000010
>
> rudi carell wrote:
>
> > ..subject varies between
> >
> > "Wedding List"
> >
> > and
> >
> > "Reference Letter Peggy"
> >
> > yfyi.
> >
> > rc
> >
> > >Friday morning I recieved an email from a friend, it looked as >though
he
> > >was sending me a .doc to look over. To my dismay, it was a worm that
>had
> > >infected him.
> > >
> > >I have found little information about this worm, Mostly located at
> > >http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html
> > >
> > >The Worm will come from someone that has you on there contact list,
>and
> > >will
> > >have a differnt subject line determined by the attached file.
> > >
> > >The text will read in english as:
> > >
> > >Hi! How are you?
> > >
> > >I send you this file in order to have your advice
> > >
> > >See you later. Thanks
> > >
> >
> > rudicarell@hotmail.com
> > security@freefly.com
> > http://www.freefly.com/security/
> >
> > _________________________________________________________________
> > Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp
>
> --
> kimmie mckinnis
> http://www.starjewel.org
> icq:186072/aol:starbreiz
>
>
>

---------------------------------------------
Servicio provisto por EDUNEXO
---------------------------------------------

• Previous message: cdowns: ".ida Win2k IIS 5.0 English No SP."
• In reply to: Kimberly Anne McKinnis: "Re: Win32.Sircam.Worm Alert....."
• Next in thread: Arturo \: "RE: Win32.Sircam.Worm Alert....."
• Next in thread: Eric D. Williams: "RE: Win32.Sircam.Worm Alert....."
• Next in thread: Meritt James: "multi-OS infections (was Re: A code red that could bring down the net?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Win32.Sircam.Worm Alert..... ... I've received 6 so far, in Brazil, all messages in English! ... Subjects are all differents! ... >I don't know much spanish, but it looks to me as a direct translation of ... it was a worm that had ... (Security-Basics) Re: Win32.Sircam.Worm Alert..... ... it was a worm that had ... the ability to extract email addresses from Web-Browser cache entries. ... the following two lines (either English or Spanish) ... (Vuln-Dev) Re: Win32.Sircam.Worm Alert..... ... it was a worm that had ... the ability to extract email addresses from Web-Browser cache entries. ... the following two lines (either English or Spanish) ... (Security-Basics) Re: NZ v France ... tries to consign the English style of play to the dustbin for all time. ... France must not allow their normal game to be dragged down by the English ... Argentina have conned their way throw the tournament so far because teams ... (rec.sport.rugby.union) Re: Question about Spanish ... It suggests that the language is somehow ... Gabriel García Márquez from Colombia and Jorge Luis Borges from ... Argentina are held in high esteem. ... Spanish is not exactly my specialty, ... (sci.lang)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint