I send you this file in order to have your advice.
July 21, 2001 8:46 AM   Subscribe

I send you this file in order to have your advice. The Sircam worm is spreading at an unbelievable rate, with two interesting bonuses. First, it mass-mails itself to e-mail addresses located in browser cache files (so webloggers with e-mail addresses on their sites are vulnerable). Second, it infects and attaches a random document to the e-mail. If you're careful, this makes it the most entertaining worm yet. (More inside...)
posted by waxpancake (50 comments total)
 
If you're careful, you can open up the attached document with a hex editor and read people's personal documents. (Be aware that the document is INFECTED, so only try this if you know what you're doing. And don't come running to me.)

I've received the worm FOUR times in the last 24 hours, to various e-mail addresses I've posted online. Each one had a different payload... So far, I've received a Philosophy 101 essay about Alan Turing and artificial intelligence, a real estate transaction about a house in New Hampshire, a Spanish erotica story, and an Excel document with some salary information inside. Very entertaining.

Whatever you do, DON'T double-click the file to open it. Open it by starting your hex editor or text editor first, then open it using the "File: Open" menu in the editor. I've been using UltraEdit to read them, and it's worked fine.
posted by waxpancake at 8:51 AM on July 21, 2001


Would you please post the Spanish erotica story (if it is in English).
posted by Postroad at 9:06 AM on July 21, 2001


Security through obscurity thank you... This very slick virus reminds me of the Hybris virus which modifies winsock in order to send the virus to any email address that passes through the ip stack. As the administrator of a large mailing list, that damn thing was the bane of my existence for a couple of months. If the infected person was the only person on our mailing list with the domain listed in the mail headers, I would always send them a note about the virus. Its funny that no one ever replies with a thank you.

--> waits eagerly to hear what other prurient tidbits are received by MeFiers...
posted by machaus at 9:10 AM on July 21, 2001


i have to say, i have not gotten the virus once yet. which is probably because on one ever emails me. so, you know, that's a good thing in a way.
posted by moz at 9:15 AM on July 21, 2001


Last wednesday, one of my old addresses got bombarded probably 8 times, same message, from the same person, with different names on the attachment, all meant to look like real attachments. My main email got a few yesterday, I did check out one of the attachments in a text editor, but didn't dig deep to see what was in it.
posted by mathowie at 9:17 AM on July 21, 2001


I just got it - and a ONE MEG file was attached (I'm on a slow dial up too - bleh!) Luckily, my policy is to not open any attachments if I don't know what they are or why someone is sending them to me (esp. if they're that big). Sorry - not savvy enough to open it and find out what was in it - heh heh.

I use Pegasus Mail, and although I know most viruses etc. are set to attack Outlook and Pegasus isn't usually vulnerable, I still don't open 'em. Thanks for posting this right when I needed it! :-) (MeFiers are my heroes - LOL).
posted by thunder at 9:19 AM on July 21, 2001


thunder: see, that's why i gave up on email programs and stick to webmail or shells.

the random document is anything it finds in your "My Documents" folder (or anything from your "My Pictures" folder). Wired has a good article on it that goes into a bit more detail than wax's.

luckily, i store my spanish erotica in another directory.
posted by moz at 9:36 AM on July 21, 2001


Sorry, I already deleted the Spanish erotica. But I just received an Excel document in Spanish:

"SALDO EN BANCO (Al 30 de Setiembre del 2000)- SALDO EN LIBROS (Al 30 de Setiembre del 2000) CONCILIACION BANCARIA BANCO BCT CHEQUES NO CAMBIADOS PRESTIGE RESORTS INC. Cuenta 2552"
posted by waxpancake at 9:52 AM on July 21, 2001


I just want to thank Microsoft for making such a hilarious yet pathetic attempt at an operating system.

I hereby redub any version of Windows "The Microsoft Virus & Worm Runtime Environment"

Note that I'm not advocating any other OS - they all suck. It's just that Microsoft OS's suck galactic masses through buckytubes.
posted by hadashi at 9:56 AM on July 21, 2001


well, that explains it. i thought it was further hate mail from associates of "mr. lunatic of shit." i received it seven times yesterday... delete. delete. delete.
posted by heather at 10:04 AM on July 21, 2001


"mr. lunatic of shit." -- that was my nickname in college.
posted by hotdoughnutsnow at 10:28 AM on July 21, 2001


Luckily, my policy is to not open any attachments if I don't know what they are or why someone is sending them to me

This is a good policy to tell ppl, but more advanced users (who dont have "hide extensions" on) might just learn to check the extension (the *real* extension mind you, sometimes they try to fake it). If its an extension that isnt executable (say jpg, txt, rtf, psd, doc (with macros off), mpg, mp3, etc) its fine -- you can't get a virus from it, no matter who sent it.
posted by malphigian at 10:38 AM on July 21, 2001


moz: see, that's why i gave up on email programs and stick to webmail or shells.
Perhaps once we get off this slow dial-up and into DSL I'll see if I can retrain myself. I already have webmail setup for my pop accounts AND shell access so it's just there waiting for me.

the random document is anything it finds in your "My Documents" folder (or anything from your "My Pictures" folder). Ahhh - I've always thought the "My Documents/Pictures" folders were eeeky anyway - too smarmy - trying too hard to sound convenient and personal - never use 'em. *grin* (And I store my spanish erotica translated into english science fiction just to confuse should a situation like this come up.) heh.

malphigian - just what you said. :-)
posted by thunder at 10:45 AM on July 21, 2001


I received a document (word doc) from some random person I'd never heard of before.
I deleted it (and the attachment) before I read this thread and realized that it was this virus. The subject line was exactly the same as the title of this link.
I've never opened any attachments from friends or strangers that arrive in my email, unless I run an updated virus scan through them, or they are a benign file type (as malphigian mentioned above).
It took some doing, but I was able to convince my fiancee to do the same thing with her email. She used to open any/everything that came from any/everyone. I normally wouldn't care TOO much, but now that our computers are on a home LAN I can't take any chances.
posted by Grum at 11:06 AM on July 21, 2001


I got a the file from a friend I hadn't heard from in a while. Opened it up in notepad as it looked like a bat file- and then once I saw what it was a word document of some song lyrics I thought it was ok- I was wrong- I've been duped!
posted by TuxHeDoh at 11:10 AM on July 21, 2001


heh.

i've gotten the snow white virus sent to me 6 times this week.

crappy.
posted by jcterminal at 11:17 AM on July 21, 2001


On another note - it is worth noting that there are two really good protections for this sort of thing. Aside froimt he obviousl one of turning on extensions.

1) Outlook XP blocked this virus automatically, and will do so for the entire class of "executable attachment" viruses. It translated it into another form that isn;t dangerous (.txt). I can get the orig form back - but I can't just run it by accident.

2) Norton Anti-Virus has a great pop3 proxy built in that scans attachments automatically on their way into your email program and will stop this sort of thing as well.
posted by soulhuntre at 11:21 AM on July 21, 2001


Well, I just got a MS Word doc from a former student. I tell them a thousand times I don't have MS Word. Pine saves the day again.
posted by rschram at 3:49 PM on July 21, 2001


"I send you this file in order to have your advice. The Sircam worm is spreading at an unbelievable rate, with two interesting bonuses. First, it mass-mails itself to e-mail addresses located in browser cache files (so webloggers with e-mail addresses on their sites are vulnerable). Second, it infects and attaches a random document to the e-mail. If you're careful, this makes it the most entertaining worm yet."

Hmmmm ... no mention of Microsoft. One would think that would be a significant bit of info to relay.

Funny how we've becomed so innured to this that it is no longer necessary to point out when such exploits are specific to the M$ operating system (as they are 99.9% of the time). I used to consider omissions like this as anemic attempts to whitewash Window's reputation by implicitly hinting that the problem is OS-neutral. Now, I merely take it as a compliment that people don't have to be told the incredibly obvious.
posted by RavinDave at 3:54 PM on July 21, 2001


Funny how we've becomed so innured to this that it is no longer necessary to point out when such exploits are specific to the M$ operating system (as they are 99.9% of the time).

That's because these exploits aren't based on a deficiency of the Windows OS. As a Pine user, I'll never see a macro virus on my Win system. Macs are safe by relative obscurity, not by better design.
posted by skyline at 4:26 PM on July 21, 2001


Pine. I've spent years using pine, and when I get sick of gwise or have a dialup I always go back. Piiiiine...
posted by mecran01 at 4:49 PM on July 21, 2001


Actually, quite a bit can be attributed to better design.

The structure of the WindowsOS allows for more 'behind the scenes' activity to take place. It would be wrong to say that Macs or Linux machines couldn't possibly get a virus, but it's equally wrong to say that Windows and MacOS have identical security against these type of exploits.
posted by jragon at 4:53 PM on July 21, 2001


jragon...you're half right. the probability of a linux box getting a virus that is capable of doing damage is so low as to be almost nil. One of the biggest problems with an OS design like windows is that every user is the root user. For a virus to affect a linux box, someone would have to run the virus as root. With more and more inexperienced people running linux...we'll see how that goes.

The deal with worms, at the least the kind being used on M$ wind0wnz, is that email clients will actually run shit automagically, and have these nasty scripting languages built in. I'm not aware of any unix based email client that would automatically run, say, a perl script as soon as it was opened by the reader. Of course, with the continued acceptance of linux this, too, may one day come to pass. But even if it did happen, to totally hose the box, the owner of it would have to be reading mail as root....

who reads mail as root?
posted by jaded at 5:22 PM on July 21, 2001


However on the mac side, it would be entirely possible to use applescript to target machines that have entourage (mac version of outlook express) to send mass emails. It's already been done, albeit not very elegantly or in a destructive fashion.
posted by machaus at 5:57 PM on July 21, 2001


One of the biggest problems with an OS design like windows is that every user is the root user.

Ummmm.... on some versions of Windows, yes. On Windows 2000 and Windows XP, no.
posted by delfuego at 7:03 PM on July 21, 2001


Note that I'm not advocating any other OS - they all suck. It's just that Microsoft OS's suck galactic masses through buckytubes.

Exactly.
posted by rushmc at 7:57 PM on July 21, 2001


Who reads mail as root?

Uh, root? Most UNIX machines have the postmaster pseudo-account forward mail to root. I've also seen plenty of people post to USENET using a root@... address. Clearly the root account gets mail. Who do you think reads it?

I'm glad you can sit back and criticize MS for implementing a feature (double clicking an attachment to "execute" it) that has such obvious utility for users (and an obvious UNIX analog in the "#!" syntax). I would conjecture that the main reason no (GUI) UNIX mailers have this feature (assuming this is true -- historically I'm a PINE user so I don't know) is that there hasn't been a centralized store that contains this document type <-> app mapping. There obviously will be eventually (being a natural progression from the current magic file), and people will start sending around brittney_spears_naked.jpg.sh files (scripts wrriten for the Bourne shell being pretty close to a built in scripting language for UNIX -- and I suspect most Mac people would disagree with your notion that a built in scripting language is bad).

Saying that all users on "Windows" are super-users is not only wrong -- as someone else already pointed out -- but also almost inconsequential. There are plenty of ways onto the average UNIX box, where you have umpteen processes running as root listening to well-known ports, just waiting to be exploited by a buffer overflow.

And finally, for a little worm-on-UNIX action, check out http://sunland.gsfc.nasa.gov/info/guide/The_Internet_Worm.html.
posted by JasonSch at 10:19 PM on July 21, 2001


He did not just bring up the infamous Internet Worm, did he? Please tell me he didn't.

Jason, that was in the 80s! You know, before Windows (i think), before AOL unleashed the hordes on us, before spam was really even heard of, when internet domain names were FREE OF CHARGE.

I'd say thriteen years is a pretty good record, if that's the first thing that springs to mind.
posted by fooljay at 11:28 PM on July 21, 2001


"the probability of a linux box getting a virus that is capable of doing damage is so low as to be almost nil."

Bull. I'll point you at an example example.

In fact, it is interesting that in oredr to infect a windows machine you have to fool the USER, whereas you can break into most Linux vulnerabilities without ant intervention on the user's part at all.

I'll gladly trade Outlooks minor email vulnerabilities (only takes a checkbox or two) for all the crap running on most out of the box linux distro's that have glaring root exploits.

I won't embarrass you by bringing up sendmail.

"One of the biggest problems with an OS design like windows is that every user is the root user."

This is totally untru in Win2K and absolutely untrue in WinXP. In fact, WinXP has a well integrated set of dialog boxes and "Run as" options to make running your windows box as a "normal users" easy and provides a lot of extra protection.

In other words, you're information only applies to one of the current windows OS's (WinME).

"For a virus to affect a linux box, someone would have to run the virus as root."

Hardly, there are quite a few root exploits in Linux that a normal user level program can use to gain root access. The only answer is to continually patch and update - just like on the Win boxes.

"is that email clients will actually run shit automagically, and have these nasty scripting languages built in."

Actually, no, you're wrong again. The email program does not run this or most other worms "automagically", it must be run by the user with an affirmative action AND they have to say OK to a dialog box specifically warning them of the risks (in Outlook at least).

This sort of trojan issue is not specific to windows in any way, and is as much a part of Unix GUI clients as it is Outlook in most cases.

"But even if it did happen, to totally hose the box, the owner of it would have to be reading mail as root...."

Or have a machine with one of dozens of common root exploit holes.
posted by soulhuntre at 11:47 PM on July 21, 2001


Good lord. I apologize for the previous post on two counts:

1) The spelling. It's late, and I didn't spell check. :( I will next time!

2) It seems a little argumentative to me, it wasn't intended to come off like a personal attack... the points are valid but the tone seems harsh.

My bad.
posted by soulhuntre at 11:53 PM on July 21, 2001


It's the first thing that sprung to mind simply because is so f*cking glaring. I seriously hope you're not suggesting that UNIX variants have since gone without any worms/security holes. There are lots of recent, readily available examples to the contrary (e.g., http://www.cert.org/advisories/CA-2001-15.html).

Anyway, my goal is not to depict Windows as perfect -- I'm simply tired of people who know *nothing* about OS design spouting the "Windows sux, Linux rulez" rhetoric that's become so tony (which was rampant on the earlier thread about a security hole being exploited in IIS, where people seemed to think Apache was some sort of panacea. Right, there are no security holes in Apache, keep telling yourself that ...)
posted by JasonSch at 12:04 AM on July 22, 2001


No, Jason, I was just pointing out that you could have done better than to cite "THE Worm" of yore. And yes, I'm very familiar with CERT as it was my home page for years... :-)

As far as soulhuntre's commentary, I think that you're talking apples and oranges. Most Windows machines aren't running net-accessible daemons, and the ones that are share the same class of vulnerabilities. Linux boxen on the other hand are almost always running as servers and hence require many of said pieces of software. Of course, I'll agree with you about the insecure default setup of the distros, but that's just as much of a user responsibility as not clicking on executable attachments.
posted by fooljay at 1:07 AM on July 22, 2001


The problem is really that there's a misconception about the worm. People believe that it runs itself automatically -- or that Outlook runs it automatically when it's received. It's not. You have to open it, agree to a warning and even click on "Run The File" instead of "Save The File". I've received countless e-mail virus/worms and not been infected/uh, wormed by any of them because I just don't run them and they're pretty easy to spot.

I do think that this Sircam worm is utterly cool and should be given some sort of worm award. The only thing cooler would be if it got your ICQ or other instant messager histories/chat logs and fired them off to everyone you know. Then it would actually start screwing up society a bit and that would be damn amusing.
posted by frenetic at 1:10 AM on July 22, 2001


wow, that virus plus bbedit plus 2:30 am equals fun. most of the ones I received were some boring night audit checklist for a hotel, but here's one personal item I received.
posted by gluechunk at 2:37 AM on July 22, 2001


Hmmm. The last one I received conatined a program that calculated sinc-based interpolation of sampled data.

I need more interesting acquaintances.
posted by andrew cooke at 3:02 AM on July 22, 2001


<sigh> The first virus I'm excited to get and nary a trace of it in my inbox...
posted by fooljay at 3:10 AM on July 22, 2001


I got a high school report on entrepreneurism, two sundry zip files, and an empty Excel document. Nothing nearly as exciting as Spanish erotica, though. I'll give my acquaintances 'til Monday to be more interesting before I start shopping around for new ones.
posted by youhas at 4:17 AM on July 22, 2001


I ended up with a document on a new marketing campaign from some "client/server technologies" company. (I'm glad I saw this thread, because I was really confused over why the file would be included in a virus.) Not as interesting as a love letter, I think...
posted by jess at 4:25 AM on July 22, 2001


my email list Dang Funny got hit with two requests last night.
posted by brucec at 10:42 AM on July 22, 2001


yeah, be real careful taking a look in it.

I got one friday night, thought "this looks like an email virus" read the 4th grade science report contained within with a hex editor, looked around a bit and found about sircam and emailed the unwitting sender back after deleting the file.

I received a second one Saturday night, dug through it and in selecting it for deletion managed to DOUBLE CLICK IT. Yes, through my own nosiness, clumsiness and stupidity I infected myself with Sircam.

Good thing I use Pegasus and have NO addresses in my Outlook mailer... The file it picked to send out was someone else's half finished short story that they wanted extracted from some proprietary format standalone electronic typewriter thing.

Still, I feel pretty dumb. First time I've ever infected a computer. Ever.
posted by mutagen at 1:30 PM on July 22, 2001


don't feel so bad mutagen... once i had a disk in my computer that i knew had a virus on, but was using anyway because i needed a file on there, and i accidentally left it in there when i restarted, allowing it to do all sorts of crazy things with fdisk.
posted by lotsofno at 2:06 PM on July 22, 2001


This Mac/Linux/Windows debate is founded on a fallacy. It's not about the platform, its about the target population size.

The overwhelming reason why Windows machines get targetted by virus writers is simply a question of critical mass. That's not to excuse MS's lax approach to security but the point is that that very few viruses are written to infect machines that only make up a 5% segment of the market.

i.e. having 5% of the market doesn't translate into getting 5% of the viruses (it's more likely to be closer 0.005%).
posted by lagado at 4:51 PM on July 22, 2001


Err, market share certainly is a big factor, no doubt. However, I'm sure you're not saying that Windows is on par with Unix in terms of security.
posted by fooljay at 5:30 PM on July 22, 2001


"Of course, I'll agree with you about the insecure default setup of the distros, but that's just as much of a user responsibility as not clicking on executable attachments."

That's my point, this "Apache is the answer" attitude is simply incorrect.

The admin has to do his job.

BTW- yes, I will put Win2K and WinXp up against a Unix box for security from outside attacks.
posted by soulhuntre at 6:56 PM on July 22, 2001


That's my point, this "Apache is the answer" attitude is simply incorrect.
The admin has to do his job.


You use a bad example. Apache is far more robust, scalable, extensible and secure than IIS.

BTW- yes, I will put Win2K and WinXp up against a Unix box for security from outside attacks.

I respectfully submit that you have lost your senses. :-)
posted by fooljay at 10:00 PM on July 22, 2001


Err, market share certainly is a big factor, no doubt. However, I'm sure you're not saying that Windows is on par with Unix in terms of security.

No I'm not suggesting that Windows is anywhere near as secure as Unix but my point is that this is not relevent. If, say, Linux had 95% of desktops it would have 99.995% of viruses. Market size ultimately is the only important issue here.

Linux viruses have to contend with the protections model but then so do ones for NT. It's often just a case of coaxing a user to run them at a high enough privilege. These are issues of social engineering rather than technical ones.

Unix systems are not by definition secure, they are just simpler and more straight forward for technical people undestand. If Unix became a consumer product this would no longer be the case.

For example the Redhat distribution of Linux is NOT a secure platform. The install program by default installs all kinds of features which weaken its security. The vast majority of Linux users are ignorant of how to turn them off or how to tighten security. More complexity plus more ignorance on the part of users leads to security flaws.

The (pre OS X) Mac is the most insecure platform of all and yet the numbers of viruses for it is miniscule. From a virus writers perspective, its just not a "vector" worth exploiting.

So don't get me wrong here. I'll agree with you that Windows is a far less secure platform that any UNIX variant (including Mac OS X). Windows boxes are by far the easiest and most rewarding to exploit. My point is if the market chose another platform other than Windows, once the market share passed some critical point it would become the overwhelming target of choice for malware writers.
posted by lagado at 11:44 PM on July 22, 2001


I gotcha and I see what you're getting at.
posted by fooljay at 1:49 AM on July 23, 2001


I got one of these emails four times before I read about the worm, and flamed the poor guy for spamming me. I had to hastily send through an apology for my abruptness when I discovered it wasn't entirely his fault. I did advise him to get some decent virus checking software though ;-)
posted by emc at 8:14 AM on July 23, 2001


criticize MS for implementing a feature (double clicking an attachment to "execute" it) that has such obvious utility for users (and an obvious UNIX analog in the "#!" syntax)...

MS violated one of the fundamental rules of computer science - code is code and data is data, and never shall the twain meet! Executable documents? Blasphemy. And a dog-stupid idea that has been recognized as such for more than 50 years. Obvious utility?? It's a playground built on a toxic waste dump. But hey, it's right around the corner and so convenient for the kids...

...a centralized store that contains this document type <-> app mapping.

yeah, sounds really techy-like, and all. unfortunately, there IS no such centralized store beyond the registry, which contains only dubious .ext to filetype associations, which can be changed anytime by anyone or programmatically (by no one!). Windows doesn't know or care squat about filetypes. It can't tell a text file named 'text.doc' from an mp3 named 'music.doc'. doctype to app-mapping? i snort with derision in your general direction!
posted by quonsar at 9:19 AM on July 23, 2001


Lagado, I agree on quite a few points, but let's set up a test sample here:

Let's say that the marketplace was split down the middle between Windows2000 and MacOSX.

Now let's say that no one knew a thing about security. (a real stretch, I know ;) This means that the machines would install themselves with all the defaults and no one would bother changing the defaults.

There would still be more successful attacks on Windows.

--

Now let's say that Linux had 85% market share and Windows had 5%. You're correct in guessing that 85% of viruses (or more) would be designed for Linux.

The point you left out is that there would still be far fewer viruses, total.

Percentage and user intellegence do matter, of course, but that doesn't let MS off the hook for their style of writing software.
posted by jragon at 1:53 PM on July 23, 2001


« Older The week in pictures   |   "We are a nation of business people, and we find... Newer »


This thread has been archived and is closed to new comments