AFRO-NETS> Now it's getting personal - the prying email virus

[pazvakavambwab@who.ch]

Now it's getting personal - the prying email virus
--------------------------------------------------

Stuart Millar Technology correspondent
Tuesday July 24, 2001
The Guardian
http://www.guardian.co.uk/internetnews/story/0,7369,526571,00.html

Europe was last night braced for the onslaught of an email virus,
which has the power to send your most embarrassing documents and pic-
tures to every name in your electronic address book. Hot on the heels
of the Love Bug and the Anna Kournikova worm, comes SirCam, a nasty
strain which first appeared last week and is spreading rapidly across
the internet.

Last week, virus scanners were registering only one or two copies of
SirCam a day and it was assumed it would fade into obscurity. But
yesterday, with the tally of infected mail rising to almost 4,000
within 24 hours - most of it originating in the US - security experts
warned European users to put up the barricades.

Like all previous mass mailer viruses, SirCam arrives in the form of
an email attachment. If opened by the recipient, it sends itself to
every name on the victim's address book. By spreading in this way,
viruses such as the Love Bug quickly became global outbreaks, causing
millions of pounds worth of damage to computer systems.

But SirCam has an even nastier trick up its sleeve. Before forwarding
itself on, it raids the infected PC's My Documents folder - where
most users store their most private or sensitive material - and ran-
domly selects a file, which it sends out with the infected email.

Confidential commercial files, such as client lists or new product
information, could be sent around the world in seconds, as could more
revealing personal documents, such as job applications or private
letters.

"There are serious implications for security and privacy," said Alex
Shipp, senior anti-virus technologist at MessageLabs, a Gloucester-
based virus scanning service, which has intercepted almost 8,000 in-
fected emails since last week. "The virus could pick any file that is
in there, and if it picks something questionable, the user could be
seriously embarrassed."

To add insult to injury, SirCam, which is believed to have originated
in Latin America, also goes through the computer's web cache - the
store of internet sites the user has visited - and emails itself and
the document to any addresses it finds on there.

Popular websites, such as news and sports services, reported yester-
day that although they had avoided infection, they were being deluged
by unwanted mails generated by the virus.

SirCam's novel design and behaviour are disturbing evidence of the
increasing technical sophistication of virus writers. In previous
outbreaks, the initial explosion of the virus was usually contained
within a few days. SirCam, however, has been able to thrive because
it does not always put the same message in the email subject line.
Instead, it puts the name of whichever file it has raided from the My
Documents folder.

The body of the email is also semi-random, but always contains the
same lines at the beginning and end, in either English or Spanish. In
the English version, the first line is "Hi! How are you?" and the
last is "See you later. Thanks." The virus is not activated until the
attachment to the email is opened.

"It certainly has a couple of new tricks", Mr Shipp said, "and that
is all it takes to get a big explosion these days."

Guardian Unlimited c Guardian Newspapers Limited 2001

---
Dr Brian Pazvakavambwa, MBChB, MPH
The World Health Organization (WHO)
Department of HIV/AIDS
Global and Inter-Regional Coordination
20 Avenue Appia, CH-1211 Geneva 27
Tel.: +41-22-7914564
Fax:  +41-22-7914834
mailto:pazvakavambwab@who.int
Http://www.bpazva.8m.com


--
Send mail for the `AFRO-NETS' conference to `<afro-nets@usa.healthnet.org>'.
Mail administrative requests to `<majordomo@usa.healthnet.org>'.
For additional assistance, send mail to:  `<owner-afro-nets@usa.healthnet.org>'.