SirCam Virus-Infected E-Mail Floods ARRL, Other Ham Sites

From the ARRL...


NEWINGTON, CT, Jul 27, 2001--More than 1000 SirCam virus-infected e-mails have showed up at ARRL Headquarters over the past week, many of them sent from members' computers and likely without their knowledge. Hundreds more continue to arrive daily, according to Andy Shefrin of the ARRL's Information Systems Department. The virus has not been limited to individuals' computers nor to ARRL. At least one piece of infected e-mail came from an FCC address. All have been trapped by virus software.



Rick Ruhl, W4PC, the president of Creative Services Software, an Amateur Radio software developer in Alabama, says hams need to update their virus checkers--or get one--to help stop spreading this virus. Ruhl says CSS has seen hundreds of SirCam e-mails over the past 72 hours. "It's not a benign virus at all," he said. "Quite the contrary, it will destroy files on your hard disk."



Shefrin says ARRL checks its virus protection on a daily basis and applies updates as needed, although the flow of SirCam mail has continued unabated into the Headquarters e-mail server. "It's pretty bad," he said, "but our confidence is high that we'll withstand it." He said all PC users should be on the alert for any e-mail with an attachment, even if it comes from someone you know. He also recommended installing virus protection software.



Security application service provider McAfee.com has called W32/SirCam@MM "a high-risk virus for consumers." Opening the attachment on an e-mail can spread the virus onto a recipient's computer. Once SirCam infects a PC, the virus proceeds to send e-mail with an infected attachment (chosen at random from the user's hard drive) to addressees it finds on the PC's address book.



Infected e-mail can come from familiar addresses--which, Ruhl points out, means recipients often just open the e-mail attachment without thinking--but the "Subject" line varies, and the file attached might have different extensions. Infected e-mail has arrived in both English and Spanish.



The tipoff is a message that reads along the lines of "Hi! How are you? I send you this file in order to have your advice. See you later. Thanks." or "I hope you can help me with this file that I send," or, sometimes, "I hope you like the file that I send you," and even, "This is the file with the information that you ask for. See you later. Thanks."



A typical Spanish version might read, "Hola como estas ? Te mando este archivo para que me des tu punto de vista." or "Espero me puedas ayudar con el archivo que te mando."



According to McAfee, the virus searches for .gif, .jpg, .jpeg, .mpeg, .mov, .mpg, .pdf, .png, .ps, and .zip files in the "My Documents" folder and attempts to send copies of these documents to e-mail recipients found in the Windows address book and to addresses found in cached files.



McAfee offers additional information--including how to rid a computer of the SirCam virus--at its Web site.



Ruhl says the CSS site managed to dodge a denial-of-service attack by another Internet menace, the Code Red worm--sent out this week to attack the White House Web site. "Fast action from our Network Administrator, Sydney, KF4WGU, made sure that the server was secured from it," Ruhl said. Additional information on the Code Red worm is available from Cnet.