[Esa-l]re: anyone seen this before

Brett Glass brett at lariat.org
Fri Jul 20 15:10:21 PDT 2001

At 03:53 PM 7/20/2001, Matt Hallmark wrote:
>Based on the subject line, and this writeup, I'd hazard that it's the
>Sircan worm.

I think it is. See



Note that it hides in the "Recycle bin", where some antivirus
programs don't look for malware, and can infect via network
shares as well as via e-mail. Finally, it apparently leaks
documents from the infected machine.

It spammed the OpenBSD Tech list half a dozen times from one
infected machine. If it does this to every address in one's
address book without checking for duplicates, it probably 
releases quite a flood of e-mail when it infects.

Not a nice piece of code at all. Fortunately, it'll probably
be caught by the double-extension trapper in John's sample
"poisoned" file.


More information about the esd-l mailing list