Yeah its the SirCam virus all right... thankfully only 3 pcs here have gotten it yet and it gets cleaned easy.

-----Original Message----- From: Philip S Tellis [mailto:philip.tellis@iname.com] Sent: Tuesday, July 24, 2001 1:09 PM To: Linux Users Subject: [ILUG-BOM] [OT] Possible virus, can anyone confirm

I received a file named Book3_26.xls.pif in my mail. I suspect this to be a virus because of the way the filename is masked to show up as an excel sheet in default windows installs.

IMPORTANT: This was sent to me by someone who has my address in your addressbook. Anyone using windows, and having my address in your addressbook, please check your system.

The virus is probably harmless through mail because of a stupid problem. There's an extra = at the end of the base 64 encoded file, which means it cannot be decoded, at least not by standards compliant decoders. OE may still decode it. Don't know about NSMessenger. A simple inspection of the attachment tells you that. I extracted the file, and ran strings on it. It gave me this:

BFD: BFD internal error, aborting at coffcode.h line 763 in styp_to_sec_flags

BFD: Please report this bug.

This seems to be a problem with strings. (strings on Solaris works)

I then did a file on it and found it to be a Win32 executable (surprise!).

I then did a less on the file to see what was in it.

I found a lot of things, including the following (edited to fit):

Content-Disposition: quoted-printable 8bit 7bit octet-stream plain mixed Content-Transfer-Encoding: ; charset= ; boundary=" Content-Type: application mixed _Outlook_Express_message_boundary Outlook Express MIME messages encoding and decoding X-Mailer: Microsoft Outlook Express X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 MIME-Version: 1.0 date: Organization: Subject: To: From:

along with three letter abbreviations of days of the week and months of the year and a lot more. Specifically, there are a lot of references to Winsock.dll and common TCP/IP errors, but I have been unable to determine if it just uses the file or tries to replace it. I believe it may be the former, though its size (173KB) seems to suggest it does a lot more than just send email.

Towards the fourth quarter of the file, I found actual excel stuff.

Now, look at the header of the mail:

X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook Express 5.50.4133.2400 Content-Type: multipart/mixed; boundary="----147B2E70_Outlook_Express_message_boundary" Content-Disposition: Multipart message

and the attachment headers:

------147B2E70_Outlook_Express_message_boundary Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: message text

Hi! How are you=3F

I send you this file in order to have your advice

See you later=2E Thanks

------147B2E70_Outlook_Express_message_boundary Content-Type: application/mixed; name=Book3_26.xls.pif Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=Book3_26.xls.pif

Also, the terminating message boundary is identical to the others, instead of having a trailing -- as specified in 822 (I think).

Looks pretty suspicious to me. I checked at Symantec, it's been recorded as the W32.Sircam.Worm, last updated this morning.

Check http://www.sarc.com/avcenter/venc/data/w32.sircam.worm@mm.html for more details.

Philip