Helsinki, October 15, 2001 F-Secure Corporation wants to debunk the media reports warning on the Sircam e-mail worm activating destructively on October 16th. Sircam has been spreading widely since July 2001, and is currently among top three infectors worldwide.
Sircam spreads by sending users private documents to random recipients as e-mail attachments. When such an attachment is opened, the recipient’s machine becomes infected before showing the contents of the file. After this the virus continues to spread further via e-mail. The e-mail subject is the name of the attachment file, for example “Salary raises 2002.doc.pif”.
The worm contains complex code, which attempts to activate on October 16. At this time, the worms tries delete everything from the drive where Windows is installed. However, the activation code contains a serious bug, and as a result the worm does nothing special on this date.
“There’s been a lot of false information on Sircam activation because the code is so complex to analyse”, says Mikko Hypponen, Manager of Anti-Virus Research at F-Secure. “Sircam is one of the most common viruses out there so it is no wonder people are worried. However, this Tuesday won’t be special in any way regarding this virus.”
F-Secure would like to emphasize the importance of up-to-date backups as part of any computer security policy.
F-Secure Anti-Virus detects and removes the Sircam worm.
A technical description and screenshots of the Sircam worm are available online at: http://www.f-secure.com/v-descs/sircam.shtml