To my yahoo account.  

Maybe someone at Intel didn't like me advising Frank The Spank on activating the "worm".  I dunno.

Scan Result  
Name of File:   Vivian_Martin.doc.pif
Type of File:   application/mixed
Scan Result:   Virus W32.Sircam.Worm@mm found. File NOT cleaned.  

229k

From: "Vivian Martin" | Block Address | Add to Address Book
To: [email protected]
Subject: Vivian Martin
Date: Mon, 3 Sep 2001 13:31:24 -0700
       
Hi! How are you?

I send you this file in order to have your advice

See you later. Thanks

It's either Intel or the "gypsies".

I nominated them on SteyrAug's thread.

I have received 12 of those types of emails in the last month. What in the hell did I do to deserve it?

That's a pretty good sized file isn't it?

Probably something more than just a "Word" macro virus.

You bashed Miss Cleo and she be a Shamon.

Maybe I'll transfer it to one of my spare notebooks and open it.

Just did some research, that's a pretty serious sounding "worm".

[url]http://www.sarc.com/avcenter/venc/data/[email protected][/url]

W32.Sircam.Worm@mm
Discovered on: July 17, 2001
Last Updated on: August 21, 2001 at 03:13:03 PM PDT

Due to an increased rate of virus submissions, The Symantec AntiVirus Research Center (SARC) has upgraded W32.Sircam.Worm@mm from a level 3 to a level 4 virus threat.

W32.Sircam.Worm@mm contains its own SMTP engine, and propagates in a manner similar to the W32.Magistr.Worm.
Due to what appears to be a bug, this worm does not replicate under Windows NT or 2000.

SARC has created a tool to remove this worm.

CAUTION: In some cases, if you have had NAV quarantine or delete infected files, you will not be able to run .exe files, however you will still be able to run the removal tool.

To obtain the W32.Sircam.Worm@mm removal tool, please click here.

Also Known As: W32/SirCam@mm, Backdoor.SirCam

Type: Worm

Virus Definitions: July 17, 2001

Threat Assessment:
 
Wild:
High  Damage:
Medium  Distribution:
High  

Wild:

Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: Medium
Threat containment: Moderate
Removal: Moderate
Damage:

Payload Trigger: 1) October 16th, or some attached file contents, triggers file deletion payload. 2) If the file deletion occured, or after 8000 executions, triggers the space filler payload.
Payload:
Large scale e-mailing: The worm appends a random document from the infected PC to itself and sends this new file via email
Deletes files: 1 in 20 chance of deleting all files and directories on C:. Only occurs on systems where the date is October 16 and which are using D/M/Y as the date format. Always occurs if attached file contains "FA2" not followed by "sc".
Degrades performance: 1 in 50 chance of filling all remaining space on the C: drive by adding text to the file c:\recycled\sircam.sys
Releases confidential info: It will export a random document from the hard drive by appending it to the body of the worm
Distribution:

Subject of email: Random subject - the filename of the attachment
Name of attachment: A file from the sender's computer with the extension .bat, .com, .lnk, or .pif added to it.
Size of attachment: at least 134kb long
Shared drives: searchs for shared drives and copies itself to those it finds

Technical description:

This worm arrives as an email message with the following content:

Subject: The subject of the email will be random, and will be the same as the file name of the email attachment.
Attachment: The attachment is a file taken from the sender's computer and will have the extension .bat, .com, .lnk or .pif added to it.
Message: The message body will be semi-random, but will always contain one of the following two lines (either English or Spanish) as the first and last sentences of the message.

I have also never seen a double eXtension before.

Vivian_Martin.doc.pif

That stupid sircam infected my laptop when I hooked it up at work, and I brought it home.  I checked my email, and did not get any attachments.  Since I don't use Outlook, there must be another machine at work infected and it came accross on a network share.  The worst part is that it got by Mcaffee.  I'm thinking about switching to Norton.

Definitely go w/ Norton, my brother!  I had the same thing happen to me a few times, an e-mail sent by Snow White that I didn't even open, but infected my PC anyways.  I tried the Startup discs several times, but it was still there.  I called Mcaffee & was told that their only support was to be found online.  Yeah, right!  If I could get online I wouldn't be calling you, now would I?  Anyways, 2 minutes after loading Norton it told me that it found the virus & would repair what it could & either delete or quarantine what it couldn't.  Not a blip since.

you need to forward a copy of that email to rectec.com and let them know that this is a criminal matter and you need info on the user.

I'd file a report on this...

Ok, I'll see what can be done.