Virus Warning

[Spider_Woman]

My daughter has informed me that there is a new virus. Also, imthjckaz heard about it on the news this morning. It is called the Code Red Worm virus, and the subject line says:

“Hola! Como estas?” in Spanish (I don’t think I got the Spanish right; sorry) or “Hello! How are you?” in English. Don’t open any e-mail that says that! I think it also has an .exe in the subject line, but I could be wrong.

My daughter received three copies already, which she deleted.

[AHunter3]

I don’t think that one is the Code Red, Spidey. I’m pretty sure that one is the SirCam worm. And it’s safe to open the email, it just isn’t safe to open the attached file. (This is almost always the case with any virus). I got 4 copies in English. The Spanish versions are less common.

The Code Red virus affects servers running NT and its successors, and is mainly designed to hack the web pages hosted by those servers. It also has a nasty attitude towards Cisco routers, I hear. At any rate, they are two different buggies.

[RealityChuck]

That’s SirCam.

Don’t worry about Code Red. It only affects webservers.

[Spider_Woman]

Shows ya what I know! But anyway, I hope the word gets out, whatever it is. My daughter received the Spanish version. Does it only go to people with web pages (she has a least two)?

Anyway, thanks for the correct information, AHunter3!

----:)/ x o x o x
----///\\

[slortar]

Basically, part of what it does is it scans your browser cache and address book for e-mail messages, and sends copies of itself all over the place. It draws from random files from your hard drive for the subject header and the name of the attachment.

I got 14 copies over the weekend–maybe 50 total since the virus hit. I really hope they track this guy down and make him pay…

[wring]

How ironic is this:

a friend of mine sent me an email to warn me about this, said email warning warned that it attacked through attachments to common emails - of course, she sent it as an attachment.

Sigh.

[CrankyAsAnOldMan]

Yeah, I thought I was all done getting that Sir Cam thing, but today another one arrived. Which makes me total times receiving it to be something like 26.

[lno]

I’ve received absolutely 0 SirCam emails.

I can’t decide if I should be happy that I dodged a bullet, or sad that apparently no one likes me enough to have me in their address book.
[sub]lousy beatniks[/sub]

[slortar]

*Originally posted by LNO *
**I’ve received absolutely 0 SirCam emails.

I can’t decide if I should be happy that I dodged a bullet, or sad that apparently no one likes me enough to have me in their address book.
[sub]lousy beatniks[/sub] **

I could send you a few dozen copies, if you really want. I must have gotten 40 or 50 of the damn things over the last week. Plenty to spare.

[London_Calling]

Quoting from Uncle Bill’s site:

“Who Must Act? Every organization or person who has Windows NT or Windows 2000 systems AND the IIS web server software may be vulnerable. IIS is installed automatically for many applications. If you are not certain, follow the instructions to determine whether you are running IIS 4.0 or 5.0. If you are using Windows 95, Windows 98, or Windows Me, there is no action that you need to take in response to this alert.”

Developer tools, technical documentation and coding examples

[AHunter3]

The quotation that London_Calling is referring to is a quotation about the Code Red virus, not the SirCam worm. Both viruses are under discussion in this thread.

[London_Calling]

Oops, I should have made that clear. Nicely caught, AHunter3.

[Ruffian]

I just sent this out to basically everyone in my address book. Note, this is not the Code Red or Sir Cam virus…it’s just your everyday worm, out to do damage and pass it on:

Most of y’all know that I’m no fan of chain virus-warning emails. The majority of them are fakes, and typically are worded the same way (“don’t even open it!” “it will wipe out your hard drive!” “much worse than ------- [whatever the current virus scare is]!”). These bogus emails are designed to basically create a false panic among those who may not know better (to the author’s amusement, unfortunately), and also have been known to do their own share of damage by bogging down servers with their endless chain-email-effect.

This is very, very real. First, the two most basic rules of internet/email virus protection:

1. Never, ever, EVER download an attached file from an unknown sender, no matter how benign their name/subject may be. This is especially true if the attached file is a .exe file. And…EVEN IF YOU KNOW THE SENDER, BE SUSPICIOUS IF THEIR EMAIL DOESN’T “SOUND” LIKE THEM–AND IF THEY DON’T SIGN THEIR NAME! (this is where virus protection comes in handy–it can scan attached files for you)

2. No matter what chain-email-gossip-urban legend says, you can NOT get a virus just from OPENING an email. Viruses are tranmitted over the Net by not following rule #1. It is simply not possible to get it from reading a letter, and the more tech-savy of you out there would be better at explaining it than I. Let’s put it this way: going to the mailbox won’t let an intruder into your house. Opening your door (downloading a file) will.

That said, here’s what’s happened. Someone close to us had a worm (a more insidious type of computer-damaging virus). This worm came disguised in an email attachment from someone they knew. They downloaded the file, and the worm did two things: 1) it infiltrated their addressbook and sent itself on to everyone in it, and 2) it started doing some serious damage to their computer. All infected files could only be deleted, not repaired.

Both my husband and I received such a self-replicating virus email from the hapless victim and we immediately deleted it after reading its text. (Just to further exemplify rule #2–opening the email did no damage to either of our computers.) The text of the email was very, very suspicious, saying something along the lines of “I send this to you for your input,” or something awkward like that. Unfortunately, I don’t remember the subject header–something about Excel, I think. The email was not signed, and bore no resemblance to this person’s actual writing style. The attached file was a “.exe” file, which likely if not certainly would have infiltrated our address books and come to all of you had we downloaded it.

*[Note: a friend did indeed receive this email and its attached virus the day after I sent this warning. She adds that the text within the email reads:

"Hi! How are you?

I send you this file in order to have your advice

See you later. Thanks"

Is it me, or does that sound like a second-language learner?]*

So–be on the lookout. This kind of self-replicating virus can spread like wildfire, as you might imagine, and it is very possible some of you will see this thing in your mailbox soon.

A final tip…be sure to keep your important files backed up. I’m sure I’m preaching to the choir with some, if not even most of you, but it takes a disaster like this to even remind me it’s back-up time. (That, and it’s also time to update my virus protection software–new viruses come out every month, so I need to download the latest stuff from Norton.)

So, there you have it. Anyone seeing this one come into their mailboxes?

[AHunter3]

Ruffian–that’s SirCam!

[Spider_Woman]

Thanks for the advice.

[techchick68]

Just to help with this, here is the official Microsoft warning on this worm:

The following is a Security Bulletin from the Microsoft Product Security
Notification Service.

Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************

-----BEGIN PGP SIGNED MESSAGE-----

---

The Microsoft Security Response Center, along with other
organizations listed below, is jointly publishing this alert that
ALL IIS ADMINISTRATORS ARE ASKED TO READ

A Very Real and Present Threat to the Internet:
July 31 Deadline For Action

Summary:

The Code Red Worm and mutations of the worm pose a
continued and serious threat to Internet users. Immediate action
is required to combat this threat. Users who have deployed
software that is vulnerable to the worm (Microsoft IIS
Versions 4.0 and 5.0) must install, if they have not done so
already, a vital security patch.

How Big Is The Problem?

On July 19, the Code Red worm infected more than 250,000 systems
in just 9 hours. The worm scans the Internet, identifies
vulnerable systems, and infects these systems by installing
itself. Each newly installed worm joins all the others causing
the rate of scanning to grow rapidly. This uncontrolled growth
in scanning directly decreases the speed of the Internet and
can cause sporadic but widespread outages among all types of
systems. Code Red is likely to start spreading again on
July 31st, 2001 8:00 PM EDT and has mutated so that it may be
even more dangerous. This spread has the potential to disrupt
business and personal use of the Internet for applications such
as electronic commerce, email and entertainment.

Who Must Act?

Every organization or person who has Windows NT or Windows 2000
systems AND the IIS web server software may be vulnerable.
IIS is installed automatically for many applications. If you
are not certain, follow the instructions attached to determine
whether you are running IIS 4.0 or 5.0. If you are using
Windows 95, Windows 98, or Windows Me, there is no action that
you need to take in response to this alert.

What To Do If You Are Vulnerable?

a. To rid your machine of the current worm, reboot your computer.
b. To protect your system from re-infection:
Install Microsoft’s patch for the Code Red vulnerability problem:

• • Windows NT version 4.0:
    http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833
• • Windows 2000 Professional, Server and Advanced Server:
    http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800

Step-by-step instructions for these actions are posted at
http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/itsolutions/security/topics/codeptch.asp

Microsoft’s description of the patch and its installation,
and the vulnerability it addresses is posted at:
http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/security/bulletin/MS01-033.asp

Because of the importance of this threat, this alert is
being made jointly by:

Microsoft
The National Infrastructure Protection Center
Federal Computer Incident Response Center (FedCIRC)
Information Technology Association of America (ITAA)
CERT Coordination Center
SANS Institute
Internet Security Systems
Internet Security Alliance

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBO2Wpgo0ZSRQxA/UrAQFQeQgAgmva53MJdjGF4u4oFXcAJICgf+1YTd1n
IJ7XIPPjTFkc5/8Fqe0lbFY7ZeBNAvGGI276RPkebmTz1WAJ08MNe9uvMJAuyULw
nOU8sMIO7S0Z5Z65/UYow0ui2qLVdmioqf809RAydHPdj1GINU0yDNS1HwwfjZia
0wBN+GjyjbdMU6bgMadoMdRgvCwdx2Jzr8ExAnFeNtLxRjwct3mv23bCrln1h80I
4awW0GPPd5iFzLIZX+QVh9/qkPdYm3SD1e8rs8GK69dub1AsVoKdXea+EHb3YckO
9XfuZdhxy6I+PnZJ8woSSNqtuZ2zKuS+q4kdPt0Abh0ToCbR4jK91A==
=a2a5
-----END PGP SIGNATURE-----

---

You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security Notification Service. You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.

To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.

For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/technet/security/notify.asp. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.

Look, as it is, we average users shouldn’t have a problem with this worm…as far as I can tell it’s not a high warning virus for average users.

But still, keep up on your virus protection, never open a file sent to you from someone you don’t know, double check the file name…aka if you see a file that says blahblahblah.doc.rol or blahblahblah.doc.vbs, chances are it’s a bad file. If if said “blahblahblah.doc” you might be okay assuming that there aren’t any macro viruses…but if you didn’t ask for it, it has an extra dot in the file name or from someone you don’t know, it’s virus.

Keep an eye on Symantec’s and McAfee’s websites and you will be aware of problem viruses and worms that are hitting the net.

[nightshadea]

this sir cam is a net version of whats known as the buddy list virus on aol

what it does is it copies your buddy list and sends every one a file attachment that says " hi heres my pic finally "

but the odd thing is it dosent do anything thats been reported so current thought is its just a " see what i made virus" or its a screen name harvester for junk mail
the kid probably graduated from aol to the net with this dumb thing

[Ruffian]

You were right, AHunter…I actually hadn’t hear its name yet when I emailed the letter, and the descriptions here just didn’t sound familiar at the time.

We’ve been sent Sircam-attached emails twice more since the original emailing. I sent out this update:

Okay, we have learned this is the “Sircam” virus circulating around. Brian’s actually been sent it again by another friend, and a friend of mine received the virus (but fortunately deleted it) two days after I sent the email.

Information about Sircam (as well as Norton’s tools for its removal) are located here: http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html
It’s a fascinating read. The thing goes through your MyDocuments folder, snags a document, and attaches itself to it before sending itself through your address book. The text of the email, verbatim, is also listed here. (It’s also listed in Spanish! Apparently, it gets around!)