Friday August 3, 2001
Sircam Virus Exports Documents, Still Spreading
By Elinor Mills Abreu

SAN FRANCISCO (Reuters) - While the Code Red worm grabs headlines and alarms Internet users around the world, a virus has been quietly wreaking havoc in the background, infecting computers and sending out potentially sensitive files, security experts say.

The virus, dubbed Sircam, is responsible for secret documents being leaked from the administration of Ukrainian President Leonid Kuchma this week to the ForUm news Web site (, site operators said Thursday.

A computer at the FBI (news - web sites)'s National Infrastructure Protection Center became infected with the virus late last month and sent some private, though not sensitive or classified, FBI documents out in emails as a result, officials said.

The virus, which has been rated high risk by most antivirus vendors, was the top-ranking virus in July, with over 38 percent of the share of virus infections, according to antivirus software company Central Command.

The Sircam infestation comes amid global concern over the Code Red worm, which spread across the world's computer networks on Wednesday, but saw its effects blunted by protective software patches installed on many systems.

Unlike Code Red, Sircam has received little public attention even though it has a potentially far more damaging effect. After infecting a computer, Sircam sends copies of itself to all email addresses in the address book and exports a random file, experts said.

The virus has turned out to be both nastier and longer-lived than experts had expected, partly because its appearance changes as it spreads, said Andy Faris, president of MessageLabs Americas.

``It's a much more serious outbreak than most vendors originally forecast,'' said Faris. ``It's the single most prolific virus in our customer base,'' of about 3,000 customers and 500,000 users.

Experts first detected Sircam in July and saw its first peak on July 25. Unlike most viruses that die off after they peak, the number of computers infected by Sircam rose again to spike anew on Tuesday, according to email security outsourcer MessageLabs Americas, raising the possibility that it could jump again.

About 200 different Symantec Corp. (Nasdaq:SYMC - news) customers have reported at least 10,000 infections, said Steve Trilling, director of research.

``That would vastly underestimate the total number of infected computers,'' Trilling said. ``Based on what we've seen I would be surprised if Sircam had only 100,000'' computer infections.

The virus does not target any specific email program, like Microsoft Corp. (Nasdaq:MSFT - news) Outlook, but can affect any email user because it has its own email engine, experts said.

Aside from sending out random files, Sircam can have other harmful effects. Trilling said that, for most infected computers, there was a one in 50 chance the virus would fill up the hard disk drive and a one in 20 chance that it would follow orders to delete files on Oct. 16.

Back To Sircam Virus

Back To The Study