Sneaky SirCam worm slithers through inboxes


When it comes to use of social engineering in malware, the SirCam worm must be among the most insidious. The worm propagated itself in the usual way via email attachment. But SirCam didn’t carry a new email attachment—the typical “invoice” or “delivery confirmation” PDF.

Instead, the worm traveled inside a file plucked from the infected user’s own computer. This means an infected computer might send a user’s entire address book a file that looked legitimate (the latest version of a memo, perhaps), contained confidential information, or was wholly personal and embarrassing. The Russian roulette of viruses, you might say.

Origins of the SirCam worm

SirCam was first identified in the wild on July 17, 2001, around the same time the Code Red virus was causing issues. Although the subject line and attachment varied as SirCam spread, with the subject line drawn from the selected document, the message inside the carrying email did not. The English version read “Hi! How are you?” and “See you later. Thanks,” while the Spanish version stated, “Hola como estas?” and “Nos vemos pronto, gracias.”

The SirCam program contained its own SMTP protocol, giving it the power to spread, not only to email addresses through Outlook, but also to recipients whose data was stored in other programs, such as billing software. If SirCam didn’t find emails on the infected user’s system, the worm sent messages to default email servers in Mexico.

SirCam had another quirk: If an infected machine used European styling for dates —day/month/year—the worm had a 1-in-20 chance of wiping the computer’s hard drive on Oct. 16.

Photo: ozrimoz / Shutterstock