VIRUS being sent out by Mesa, AZ FK user

[wdglide]

VIRUS being sent out by Mesa, AZ FK user

Heads up!!!

I am receiving repeated SirCam virus laden emails from a fellow Mesa, Arizona FK user. I doubt he/she knows he/she is sending it out. (Check out the message headers below to make sure its not you.) Its one of those that forwards itself to everyone in your address book.

The email looks like this:
----------------------------
From: field is empty
Subject: field varies but I've noticed that it (in my case) has often been the name of a FK movie (i.e. wmenu_in-microcyb-2866)

Message:
Hi! How are you?

I send you this file in order to have your advice

See you later. Thanks

Attachment: zip, exe, bat or com file with name similar to the subject field
----------------------------

Symantec has a removal tool at:
http://www.symantec.com/avcenter/ven...oval.tool.html

Here are the message headers from my emails:
Received: from femail17.sdc1.sfba.home.com (24.0.95.144)
Received: from cx330913-a.mesa1.az.home.com

[NETbreed]

Thanks for the warning!

I think the existence of virus writers argues a very good case for legalised slow-and-very-painful torture!

Regards,

Steve

[aqeel]

i've also got one...

[agent vivid]

i have recieved many of these emails...

i now have a rule created in outlook which instantly deletes anything that comes from this specific address

[jaredigital]

hmmm... some of the dream.in.code guys live out in AZ...

[Trakker]

The weird thing is - no one really emails me, so when it gets to them, i dont get sent one also, cause i'm not in their address books!!!

[capty99]

im gonna bump this up. i just got it and alot of yall on my buddy list may be getting it so heads up. actually i got it 4 times, so delete each one.

[Danny Tuppeny]

What type of virus is it? Do you have to execute the attachment for it to spread, or is it an embedded object in a html mail or something?

If it's something like a .vbs file, could someone send me the file? VBS is the language used in ASP and Visual Basic, and I've learnt a lot by reading virus source codes! (such as the ILOVEYOU virus!). I learn't how to use the FSO from the ILOVEYOU!

[wdglide]

Read all about it here:

http://www.sarc.com/avcenter/venc/da...m.worm@mm.html

[persaltier]

I've received the message from about 5 people on the boards ....it's a serious virus / worm ....not to be taken lightly...u can read about it here...
http://www.wired.com/news/technology/0,1282,45427,00.html

can we do an auto-bump on this? (i know it can't be done...just dreamin')..

[L0g1k]

Ive gotten this email as well.... and everytime i delete it a new one pops up... but i blocked sender

[treehugger]

I have recieved one from nola moore regarding Pearl Harbor, asking for advice.

beware

[killabry]

wow, everybody is getting it, I haven't checked my e-mail in about a week, so i'm prepared.

[hockinsk]

I just got a loads of them from various AOL accounts in the last 10 minutes alone!

Don't be fooled that you have received this from someone you know, even if they say they never sent it to you, coz it reads all your email addresses from address books etc and uses its own SMTP server which is used for the email routine to spread itself. You could quite easily be emailing each other constantly without knowing it and sharing .doc, .xls, .zip, and .exe files without you knowing it either! Scary!

Get rid of it with the fix "wdglide" linked to!

Stay clean

Sam

[Chameleon]

Please note that if you are Canadian this could be a much more serious virus for you. The details specify that some payloads (Deleting all on Drive C) will only occur if you are using the D/M/Y format. US typically uses M/D/Y and if you never changed your settings once the system was loaded you're probably OK. (Microsoft defaults to US standards of course) But if your system was setup by some tech department, they might have changed them to the Canadian standard of D/M/Y. I know the ones we setup here at work we have to in order for some software to display dates properly and not get confused with a 13th month.

[hockinsk]

...and English too i guess!

I don't know much about the lifespan of this W32.Sircam.Worm@mm , i guess it's down to the code design, but if it was released on Tuesday 17th does anyone know how long it's gonna be a threat / untill it dies out to normal security levels?

Sam

[kb1827]

Originally posted by Chameleon
Please note that if you are Canadian this could be a much more serious virus for you. The details specify that some payloads (Deleting all on Drive C) will only occur if you are using the D/M/Y format. US typically uses M/D/Y and if you never changed your settings once the system was loaded you're probably OK. (Microsoft defaults to US standards of course) But if your system was setup by some tech department, they might have changed them to the Canadian standard of D/M/Y. I know the ones we setup here at work we have to in order for some software to display dates properly and not get confused with a 13th month.

the d/m/y is used worldwide, and usa is one of the only countries that uses m/d/y format.

[persaltier]

Originally posted by hockinsk
...and English too i guess!

I don't know much about the lifespan of this W32.Sircam.Worm@mm , i guess it's down to the code design, but if it was released on Tuesday 17th does anyone know how long it's gonna be a threat / untill it dies out to normal security levels?

Sam

I read that there are 2 critical dates...the following is from the article....

When a machine is infected, the worm computes a random number that has a 1 in 33 chance of triggering an action that will cause the infected computer's hard drive to generate random text that will fill up all the unused space on a hard drive.

This random-text routine will run each time the machine is started.

But SirCam also checks to see if the date is October 16. If it is, and if the Windows operating system of the infected computer is using the European date format (day/month/year), then SirCam will again generate a random number.

This time the stakes are higher, the number has a 1 in 20 chance of forcing the infected machine to delete all the files on its hard drive.

[CrashedStar]

i got it to... but the odd thing is i got it to a different email then the one i use on flashkit???

who knows???

[wdglide]

Its not limited to Flashkit. I only mentioned Flashkit because I wanted to warn the infected person. This thing has obviously grown tremendously since my first post.
[Edited by wdglide on 07-23-2001 at 08:16 AM]