After a week in the wild, the W32.Sircam.worm computer virus is
causing increasing worry among corporate IT users and anti-virus
vendors.
The worm has spread so quickly that the anti-virus vendor Symantec
has upgraded its security warning, giving the virus a Category 4
"severe" rating, up from a Category 3 "moderate" level.
The Sircam worm carries an executable file that unleashes an attack
on the recipient's PC when activated. The damage occasionally
includes the deletion of all files and directories on the C: drive.
System slowdowns also occur as hard-drive space is filled by errant
code carried by the worm.
The worm borrows a random document from the infected PC and places
its name in the subject line of e-mails which it then sends to
people in the user's address list.
Greg Shipley, a security consultant at the consulting services firm
Neohapsis in Chicago, said the proliferation of the worm increased
dramatically over the weekend. "It's spreading quickly, and
anything that's spread quickly is a concern," he said.
Pete Lindstrom, a security analyst at Hurwitz Group, said the worm
was able to infect machines and networks because many employees
could not resist opening up e-mailed executable file attachments
from people they don't know, in spite of repeated warnings from IT
staff.
"The lesson here is you can't expect users to learn," said
Lindstrom. "There's too much fun going on out there on the
Internet."
Instead, he said, the onus for protecting against such attacks
should increasingly be placed on system e-mail administrators, who
can do more to protect users from their own curiosity.
"If e-mail administrators aren't stopping it at the gateway by
plugging known security holes or using software that can detect and
defend against such attacks, then it's dereliction of duty on the
e-mail administrators' side," Lindstrom said.
Ken Dunham, an analyst with SecurityPortal.com, said the worm could
be particularly dangerous to corporate networks because it
replicated quickly and was capable of clogging servers with
outgoing mail. Dunham said he had seen Sircam attachments as large
as 107kb, which, when replicated across large corporate mailing
lists, can cause overloads that can slow down or crash servers.
"It can cause a denial of service (DOS) or distributed DOS attack,"
he said
Another problem, he said, is that commercial anti-virus scanning
engines are apparently not always identifying the worm as harmful.
"Not all of them are working," he said, adding that user education
was critical if the attacks were to be brought under control. "It
only takes one user to mess it up," he said.