Virus Alert!!

[Jack Spencer Jr]

I don't know if this is the right forum for this, but, eh, close enough.

If you've recently received an email from me pblock
eeville@dreamscape.com
asking for help with the attached file

DO NOT OPEN THE ATTACHMENT!

It contains the SirCam worm, an especially nasty little bugger that uses email.

As I write this, I'm using the removal tool from symantec.com.  Hopefully that'll do it.

If you received and already opened said email.  My appologies.  Get rid of it now before it gets out of hand.

If you've received said email but have not opened the attachment or the email.  Check your system anyway.  Better safe than sorry.

On a more general note, any email with the a message asking for help with an attached file is suspect and should be deleted immediately.

mighty pissed off right now.
Jack

[Clinton R. Nixon]

I got a copy of the SirCam worm last night labeled--seriously--risus15.zip.pif. Luckily, I'm using Eudora Pro, but still--it was named after an RPG. These viruses are getting crazy.

[Jack Spencer Jr]

Yeah, that seems to be how this virus works.

What it does from what I've seen is it camps out in your recycling bin in a way that you can't see it, and therefore can't delete it.  It then creates trojans of itself by using the name of files on your hard drive.  This is how I found out about it.  Wherever it gets the email addresses, either randomly or by scanning your system, several of the ones it used were non-deliverable so I had 42 undeliverable messages returned.  They all had attachments with odd names like wb15.doc.pif (the 15th episode of The Wanna Be) or kroz.exe.com (Kingdom of Kroz)

So beware of attachments with two tags.

[Epoch]

Heh.  It's worse than that.

It actually copies those files from your system into the email, and adds its own code to them.  So, if you view the attached files through something safe, like Notepad or a hex editor (do not attempt to auto-execute them by double-clicking on them!), you can see someone else's files.

If you've got confidential information on you machine, this is cause for worry.

Also be aware that there's a 5% chance that it will recursively delete your C drive on October 16th, if you still have the virus at that late date.

[Ron Edwards]

Quick inquiry from a not-especially-savvy computer person:

I did receive the message in question (as mentioned in the Sorcerer forum) but did NOT open the attachment or view it in any way. I deleted its hairy ass most thoroughly.

So ... does that mean I'm still clean, doc?

Best,
Ron

[greyorm]

I did receive the message in question (as mentioned in the Sorcerer forum) but did NOT open the attachment or view it in any way. I deleted its hairy ass most thoroughly.

So ... does that mean I'm still clean, doc?

You SHOULD be...there's no reason that you should have been infected if you didn't open/run the file.  But better safe than sorry.  You can go to Symantec and download and run the fix anyways, just to make sure: http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.removal.tool.html

If you're clean, and you should be, it won't do anything untoward to your files; it scans for the virus and lets you know if it finds it, cleans it out if it does.

[Epoch]

You may or may not be.

Some mailers have the highly unfortunate tendancy to open attachments without prompting you.  While this behaviour can be turned off, they are sometimes shipped with it on as default.  (The Outlook family did this for a while, I think, though I'm not sure).

I agree with Greyorm (as advice to anyone who's at all unsure as to whether they've got the virus) -- follow his link, get the tool and scan your system.  It won't take all that long, and it might save your C drive.

By the way, the virus is network aware.  It can and does propagate across shared drives.  So even if you practice excellent email hygiene, if you're on a LAN with people who don't, you might need to beware.