This article originally appeared in TidBITS on 2001-07-30 at 12:00 p.m.
The permanent URL for this article is:
Include images: Off

The SirCam Worm: Email Exhibitionism

by Jamie McCarthy

The SirCam email worm has been pestering me - and vast numbers of other people around the world - all week. Luckily, it has been only an annoyance since I use Mailsmith on Mac OS X and SirCam infects only PCs running Microsoft Windows. Even so, over the last ten days it has managed to coerce infected machines into sending me 250 copies of itself attached to innocuous-sounding documents. At about 200K apiece (with some documents being much larger), we're talking some serious wasted bandwidth and disk space.


How It Works -- SirCam is a bit more clever than earlier viruses or worms that exploit weaknesses in Windows or specific Windows programs. SirCam uses its own SMTP engine to spam itself not just to contacts in its victims' Windows Address Books, but to any email addresses found in their Internet Explorer cache as well. So I've been getting mail from total strangers who just happened to have visited my Web site recently.

This design means that people with high-profile email addresses have been hit a lot harder than others. "CmdrTaco" at the popular geek news and discussion site Slashdot has received about 3,000 copies totalling 600 MB. [Here at TidBITS, we're at about 350 copies so far, but our Web site is read primarily by Mac users who can't be infected. -Adam] So my own red badge of courage, 250 copies, may sound a little lame, but in my defense, that's not counting what I've been getting from my biggest fan, a Prodigy DSL user who has kindly sent me thirty SirCam-generated messages a day since 27-Jul-01.

I don't count the Prodigy user because I run my own mail server, which makes it easy to code up a custom filter (I use the Perl module Mail::Audit). So I've not only been ignoring her mail, but also sending my helpful commentary on how to stop this flood of email directly to the president of Prodigy Communications, thirty times a day. Haven't heard back yet.

[If you don't run your own server and your ISP isn't successfully blocking the SirCam worm, you can reduce the annoyance level by setting your email program to skip messages over 100K; in some programs like Eudora, you can then create filters to look for SirCam-generated messages and delete them from the server (as with all destructive filters, be very careful - I'd recommend invoking them manually until you're certain they're working properly). The body of a SirCam-generated message always contains fixed first and last lines in either English or Spanish, and the attachments always have a .COM, .BAT, .PIF, or .LNK extension (see the Web pages below for details). For those like Jamie who run their own mail servers with filtering capabilities, it's relatively easy to filter out all the SirCam messages because of the similarities between each message. Here at TidBITS, we decided to reject all messages with attachments using those file extensions; however, this approach might create administrative hassles for others. -Adam]

< w32.sircam.worm@mm.html>

SirCam replicates in part thanks to the way Windows and at least some Windows programs (such as older versions of Microsoft Outlook and Outlook Express, but possibly others) operate by default. Although Windows requires filename extensions on all files, it hides those extensions from the user by default, and email programs can do the same. When the worm arrives as the batch file "COVERAGE OF PEARL HARBOR ATTACK.doc.bat" (an actual example), it appears to Outlook users as "COVERAGE OF PEARL HARBOR ATTACK.doc" - seemingly a Microsoft Word document. Double-clicking it opens the document, but while the user is trying to figure out why they've received it, the worm infects the PC.

Even this allegedly user-friendly extension hiding feature (which is slated to appear in Mac OS X 10.1 as well) wouldn't be sufficient to allow exploitation on many systems, but for the fact that older versions of Microsoft Outlook don't warn users that double-clicking an attachment can have serious security implications. Many other email programs do, and in both July of 1999 and June of 2000 Microsoft patched Outlook to warn users of potentially dangerous attachments, but downloading and installing a security patch requires far more attention to security issues than most users are willing to pay.

< articles/Q235/3/09.ASP>

Email Voyeurism -- The cool thing about the SirCam worm is that it disseminates itself within a random file from its victims' desktop or My Documents folder. So every time I receive a copy of SirCam, I also get a peek into a stranger's hard disk.

Normally I'm not the voyeuristic type, but when goodies arrive unbidden, I have a hard time throwing them away. I've had splendid schadenfreudigen fun all week, opening the attachments in BBEdit and reading private files from other people's lives. Some are short and dull, others are long and interesting. I've been trading excerpts with friends over IRC. SirCam has turned into Pokemon: "Gotta catch 'em all!"

Here are just some of my more interesting finds:

I contacted the ironworks applicant and we traded a few email messages back and forth. She doesn't use Microsoft products herself, but the firm she applied to does.

Therein lies the most frightening thing about this worm: her cover letter has been sitting on the ironworks' hard disks for months, and she had no control over its being sent to me. She would never have known if I hadn't dropped her a line.

I honestly don't much mind my inbox being clogged: I have a cable modem and I can filter at the server. But despite my best efforts to avoid Microsoft products - Linux at the server, OpenBSD for a firewall, Mac OS X on my desktop - my privacy may still have been compromised. Many of my friends use Windows, and I trust them to keep secrets about the private information we've shared. The problem is that I can no longer trust their computers. No matter how careful we are, the insecure monocultures of Windows and Outlook turn us all into exhibitionists.

SirCam isn't benign - there's a 1 in 20 chance it will delete all files on infected hard disks on the 16th of October, and on any other day there's a 1 in 50 chance it will fill up infected hard disks. There have been significantly more destructive worms: what makes SirCam special is the way it randomly exposes our private information to the world. Perhaps potential embarrassment will encourage individuals to exercise caution in computing, and also inspire software companies to produce programs that not only protect users but also help them become part of the solution.