[Esa-l]re: anyone seen this before
Brett Glass
brett at lariat.org
Fri Jul 20 15:10:21 PDT 2001
At 03:53 PM 7/20/2001, Matt Hallmark wrote:
>Based on the subject line, and this writeup, I'd hazard that it's the
>Sircan worm.
>
>http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.ht
>ml
I think it is. See
http://www.zdnet.com/zdnn/stories/news/0,4586,2792260,00.html
http://www.zdnet.com/zdnn/stories/news/0,4586,2792223,00.html
Note that it hides in the "Recycle bin", where some antivirus
programs don't look for malware, and can infect via network
shares as well as via e-mail. Finally, it apparently leaks
documents from the infected machine.
It spammed the OpenBSD Tech list half a dozen times from one
infected machine. If it does this to every address in one's
address book without checking for duplicates, it probably
releases quite a flood of e-mail when it infects.
Not a nice piece of code at all. Fortunately, it'll probably
be caught by the double-extension trapper in John's sample
"poisoned" file.
--Brett
More information about the esd-l
mailing list