Just did some research, that's a pretty serious sounding "worm".
[url]http://www.sarc.com/avcenter/venc/data/
[email protected][/url]
W32.Sircam.Worm@mm
Discovered on: July 17, 2001
Last Updated on: August 21, 2001 at 03:13:03 PM PDT
Due to an increased rate of virus submissions, The Symantec AntiVirus Research Center (SARC) has upgraded W32.Sircam.Worm@mm from a level 3 to a level 4 virus threat.
W32.Sircam.Worm@mm contains its own SMTP engine, and propagates in a manner similar to the W32.Magistr.Worm.
Due to what appears to be a bug, this worm does not replicate under Windows NT or 2000.
SARC has created a tool to remove this worm.
CAUTION: In some cases, if you have had NAV quarantine or delete infected files, you will not be able to run .exe files, however you will still be able to run the removal tool.
To obtain the W32.Sircam.Worm@mm removal tool, please click here.
Also Known As: W32/SirCam@mm, Backdoor.SirCam
Type: Worm
Virus Definitions: July 17, 2001
Threat Assessment:
Wild:
High Damage:
Medium Distribution:
High
Wild:
Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: Medium
Threat containment: Moderate
Removal: Moderate
Damage:
Payload Trigger: 1) October 16th, or some attached file contents, triggers file deletion payload. 2) If the file deletion occured, or after 8000 executions, triggers the space filler payload.
Payload:
Large scale e-mailing: The worm appends a random document from the infected PC to itself and sends this new file via email
Deletes files: 1 in 20 chance of deleting all files and directories on C:. Only occurs on systems where the date is October 16 and which are using D/M/Y as the date format. Always occurs if attached file contains "FA2" not followed by "sc".
Degrades performance: 1 in 50 chance of filling all remaining space on the C: drive by adding text to the file c:\recycled\sircam.sys
Releases confidential info: It will export a random document from the hard drive by appending it to the body of the worm
Distribution:
Subject of email: Random subject - the filename of the attachment
Name of attachment: A file from the sender's computer with the extension .bat, .com, .lnk, or .pif added to it.
Size of attachment: at least 134kb long
Shared drives: searchs for shared drives and copies itself to those it finds
Technical description:
This worm arrives as an email message with the following content:
Subject: The subject of the email will be random, and will be the same as the file name of the email attachment.
Attachment: The attachment is a file taken from the sender's computer and will have the extension .bat, .com, .lnk or .pif added to it.
Message: The message body will be semi-random, but will always contain one of the following two lines (either English or Spanish) as the first and last sentences of the message.