CERT® Advisory CA-2001-22 W32/Sircam Malicious CodeOriginal release date: July 25, 2001
Last revised: August 23, 2001
"W32/Sircam" is malicious code that spreads through email and potentially through unprotected network shares. Once the malicious code has been executed on a system, it may reveal or delete sensitive information.
As of 10:00EDT(GMT-4) Jul 25, 2001 the CERT/CC has received reports
of W32/Sircam from over 300 individual sites.
W32/Sircam can infect a machine in one of two ways: The virus can appear in an email message written in either English
or Spanish with a seemingly random subject line. All known versions
of W32/Sircam use the following format in the body of the
W32/Sircam can infect a machine in one of two ways:
The virus can appear in an email message written in either English or Spanish with a seemingly random subject line. All known versions of W32/Sircam use the following format in the body of the message:
Where [middle line] is one of the following:
Users who receive copies of the malicious code through electronic mail might recognize the sender. We encourage users to avoid opening attachments received through electronic mail, regardless of the sender's name, without prior knowledge of the origin of the file or a valid digital signature.
The email message will contain an attachment whose name matches the subject line and has a double file extension (e.g. subject.ZIP.BAT or subject.DOC.EXE). The CERT/CC has confirmed reports that the first extension may be .DOC, .XLS, or .ZIP. Anti-virus vendors have referred to additional extensions, including .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG, and .PS. The second extension will be .EXE, .COM, .BAT, .PIF, or .LNK. The attached file contains both the malicious code and the contents of a file copied from an infected system.
When the attachment is opened, the copied file is extracted to both the %TEMP% folder (usually C:\WINDOWS\TEMP) and the Recycled folder on the affected system. The original file is then opened using the appropriate default viewer while the infection process continues in the background.
It is possible for the recipient to be tricked into opening this malicious attachment since the file will appear without the .EXE, .BAT, .COM, .LNK, or .PIF extensions if the "Hide file extensions for known file types" is enabled in Windows. See IN-2000-07 for additional information on the exploitation of hidden file extensions.
W32/Sircam includes its own SMTP client capabilities, which it uses to propagate via email. It determines its recipient list by recursively searching for email addresses contained in all *.wab (Windows Address Book) files in the %SYSTEM% folder. Additionally, it searches the folders referred to by
W32/Sircam first attempts to send messages using the default email settings for the current user. If the default settings are not present, it appears to use one of the following SMTP relays:
Propagation Via Network Shares
In addition to email-based propagation, analysis by anti-virus vendors suggests that W32/Sircam can spread through unprotected network shares. Unlike the email propagation method, which requires a user to open an attachment to infect the machine, propagation of W32/Sircam via network shares requires no human intervention.
If W32/Sircam detects Windows networking shares with write access, it
If the share contains a Windows folder, it also
II. ImpactW32/Sircam can have a direct impact on both the computer which was infected as well as those with which it communicates over email.
Run and Maintain an Anti-Virus Product
It is important for users to update their anti-virus software. Most anti-virus software vendors have released updated information, tools, or virus databases to help detect and partially recover from this malicious code. A list of vendor-specific anti-virus information can be found in Appendix A.
Many anti-virus packages support automatic updates of virus definitions. We recommend using these automatic updates when available.
Exercise Caution When Opening Attachments
Exercise caution when receiving email with attachments. Users should never open attachments from an untrusted origin, or ones that appear suspicious in any way. Finally, cryptographic checksums should also be used to validate the integrity of the file.
The effects of this class of malicious code are activated only when the file in question is executed. Social engineering is typically employed to trick a recipient into executing the malicious file. The best advice with regard to malicious files is to avoid executing them in the first place. The following tech tip offers suggestions as to how to avoid them:
Filter the Email or use a Firewall
Sites can use email filtering techniques to delete messages containing subject lines known to contain the malicious code, or they can filter all attachments.
Likewise, a firewall or border router can be used to stop the W32/Sircam outbound SMTP connections to mail servers outside of the local network. This filtering strategy will prevent further propagation of the worm from a particular host when the local mail configuration is not used.
Appendix A. - Vendor Information
Aladdin Knowledge Systems
Central Command, Inc.
Command Software Systems
Data Fellows Corp
Norman Data Defense Systems
You may wish to visit the CERT/CC's Computer Virus Resources Page located at:
Authors: Roman Danyliw, Chad Dougherty, Allen Householder
This document is available from: http://www.cert.org/advisories/CA-2001-22.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Conditions for use, disclaimers, and sponsorship information
Copyright 2001 Carnegie Mellon University.
Jul 25, 2001: Initial release Jul 25, 2001: The virus does NOT search the Desktop registry key for address books. Additionally, correct EST to EDT. Aug 23, 2001: Updated contact information