The Forge Reference Project

 

Topic: Virus Alert!!
Started by: Jack Spencer Jr
Started on: 7/26/2001
Board: Site Discussion


On 7/26/2001 at 7:22am, Jack Spencer Jr wrote:
Virus Alert!!

I don't know if this is the right forum for this, but, eh, close enough.

If you've recently received an email from me pblock
eeville@dreamscape.com
asking for help with the attached file

DO NOT OPEN THE ATTACHMENT!

It contains the SirCam worm, an especially nasty little bugger that uses email.

As I write this, I'm using the removal tool from symantec.com. Hopefully that'll do it.

If you received and already opened said email. My appologies. Get rid of it now before it gets out of hand.

If you've received said email but have not opened the attachment or the email. Check your system anyway. Better safe than sorry.

On a more general note, any email with the a message asking for help with an attached file is suspect and should be deleted immediately.

mighty pissed off right now.
Jack

Message 375#3367

Previous & subsequent topics...
...started by Jack Spencer Jr
...in which Jack Spencer Jr participated
...in Site Discussion
...including keyword:

 (leave blank for none)
...from around 7/26/2001




On 7/26/2001 at 2:17pm, Clinton R. Nixon wrote:
RE: Virus Alert!!

I got a copy of the SirCam worm last night labeled--seriously--risus15.zip.pif. Luckily, I'm using Eudora Pro, but still--it was named after an RPG. These viruses are getting crazy.

Message 375#3372

Previous & subsequent topics...
...started by Clinton R. Nixon
...in which Clinton R. Nixon participated
...in Site Discussion
...including keyword:

 (leave blank for none)
...from around 7/26/2001




On 7/26/2001 at 4:56pm, Jack Spencer Jr wrote:
RE: Virus Alert!!

Yeah, that seems to be how this virus works.

What it does from what I've seen is it camps out in your recycling bin in a way that you can't see it, and therefore can't delete it. It then creates trojans of itself by using the name of files on your hard drive. This is how I found out about it. Wherever it gets the email addresses, either randomly or by scanning your system, several of the ones it used were non-deliverable so I had 42 undeliverable messages returned. They all had attachments with odd names like wb15.doc.pif (the 15th episode of The Wanna Be) or kroz.exe.com (Kingdom of Kroz)

So beware of attachments with two tags.

Message 375#3375

Previous & subsequent topics...
...started by Jack Spencer Jr
...in which Jack Spencer Jr participated
...in Site Discussion
...including keyword:

 (leave blank for none)
...from around 7/26/2001




On 7/26/2001 at 8:53pm, Epoch wrote:
RE: Virus Alert!!

Heh. It's worse than that.

It actually copies those files from your system into the email, and adds its own code to them. So, if you view the attached files through something safe, like Notepad or a hex editor (do not attempt to auto-execute them by double-clicking on them!), you can see someone else's files.

If you've got confidential information on you machine, this is cause for worry.

Also be aware that there's a 5% chance that it will recursively delete your C drive on October 16th, if you still have the virus at that late date.

Message 375#3383

Previous & subsequent topics...
...started by Epoch
...in which Epoch participated
...in Site Discussion
...including keyword:

 (leave blank for none)
...from around 7/26/2001




On 7/26/2001 at 9:15pm, Ron Edwards wrote:
RE: Virus Alert!!

Quick inquiry from a not-especially-savvy computer person:

I did receive the message in question (as mentioned in the Sorcerer forum) but did NOT open the attachment or view it in any way. I deleted its hairy ass most thoroughly.

So ... does that mean I'm still clean, doc?

Best,
Ron

Message 375#3385

Previous & subsequent topics...
...started by Ron Edwards
...in which Ron Edwards participated
...in Site Discussion
...including keyword:

 (leave blank for none)
...from around 7/26/2001




On 7/26/2001 at 9:52pm, greyorm wrote:
RE: Virus Alert!!


I did receive the message in question (as mentioned in the Sorcerer forum) but did NOT open the attachment or view it in any way. I deleted its hairy ass most thoroughly.

So ... does that mean I'm still clean, doc?

You SHOULD be...there's no reason that you should have been infected if you didn't open/run the file. But better safe than sorry. You can go to Symantec and download and run the fix anyways, just to make sure: http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.removal.tool.html

If you're clean, and you should be, it won't do anything untoward to your files; it scans for the virus and lets you know if it finds it, cleans it out if it does.

Message 375#3386

Previous & subsequent topics...
...started by greyorm
...in which greyorm participated
...in Site Discussion
...including keyword:

 (leave blank for none)
...from around 7/26/2001




On 7/26/2001 at 10:34pm, Epoch wrote:
RE: Virus Alert!!

You may or may not be.

Some mailers have the highly unfortunate tendancy to open attachments without prompting you. While this behaviour can be turned off, they are sometimes shipped with it on as default. (The Outlook family did this for a while, I think, though I'm not sure).

I agree with Greyorm (as advice to anyone who's at all unsure as to whether they've got the virus) -- follow his link, get the tool and scan your system. It won't take all that long, and it might save your C drive.

By the way, the virus is network aware. It can and does propagate across shared drives. So even if you practice excellent email hygiene, if you're on a LAN with people who don't, you might need to beware.

Message 375#3389

Previous & subsequent topics...
...started by Epoch
...in which Epoch participated
...in Site Discussion
...including keyword:

 (leave blank for none)
...from around 7/26/2001