Ann Arbor Business to Business
Small Business and the Internet

Code Red - SirCam on the Loose

September 2001

By Mike Gould

> Hi! How are you?
> I send you this file in order to have your advice
> See you later. Thanks

If the above looks familiar, then you probably had a visit from the SirCam virus, the latest manifestation of mal-ware cruising the infestation superhighway. Now 2 years ago, I warned everybody about accepting email from strangers, but did anybody listen? (I hear crickets chirping, the old Warner Brothers cartoon sound effect denoting nobody home.) Sigh. So I guess it's time again for yet another in a series of personal computing hygiene lectures, sternly delivered by the exasperated nurse Mike.

Deja Merde Encore
One advantage to writing a series like this is that I get to recycle everything periodically. Last time around for this topic was "Things That Go Bump on the Internet" (July 1999), available at http://mondodyne.com/b2b/smbiznet.17.shtml. This was a time when Windows users were battling the ExploreZip worm. A sour taste of things to come, this was one of the first viruses that spread via the mechanism of emailing itself to everyone in your Outlook address book. Macintosh users were immune.

SirCam, formally known as W32/SirCam@MM, is a more powerful variant of the above. Once the Unwitting Windows User (UWU, a polite term for clueless bozo) opens the infected attachment sent to him or her by another UWU, the virus goes to work. It rummages through your files, selects one at random, and sends it to someone in your Outlook address book, along with a copy of itself and the cheery message above. So now your hijacked computer is not only spewing viruses, it is sending your confidential files to all your correspondents. Then another mechanism kicks into place and the virus spins a wheel of fortune; if your number comes up, it starts screwing up your applications, and in some cases, erasing your harddrive. None of the above happens to Macintosh users.

Voila le Jungle Electronique
The really annoying part of all this is that it can affect everybody, including us Macintosh users. We don't have to worry about our files or harddrives, but we can be inundated by infected email just like everybody else. Apparently the virus can extract email addresses from the Internet Explorer Web cache, which means if you have visited a page with an email address on it, that address is up for grabs. (Your cache is where IE stores copies of the last hundred or so of the pages you visited so that it can put those pages on your screen faster when you re-visit. You knew that, right? Your computer stores pages from the web that anyone can see if they have access to your keyboard.)

Anyway, I must have some popular Web pages because all of a sudden I was receiving hundreds of emails with confidential files attached to them from total strangers. I tried to reply to the worst of them, telling them that they were sharing their digital life stories with me, but the email bounced with a note that their mailbox was full - probably with similar requests from other victims. A note to their postmaster finally shut off the flood. If this happens to you, an email to postmaster@UWU'sdomain.com usually will work.

Cordon Sanitaire
The description of why, who, and how this sort of malfeasance is generated was pretty well covered in my previous article at the address above, so I won't repeat that here. But I will repeat the usual prophalactic litany:

1. Buy Anti-Virus software and KEEP IT UP TO DATE! New viruses appear every day, and updated anti-virus patches (updated modular code designed to combat specific new viruses) are available at the websites of the various software companies.

2. Don't open (or unZip) email enclosures from strangers, or even friends unless you know exactly what they are. Contact your correspondent if necessary to verify contents.

3. BACK UP EVERY SINGLE IMPORTANT FILE ON YOUR HARDDRIVE, INCLUDING YOUR EMAIL. Do it now, do it often, make multiple copies of really, really important files, and store a copy off-site. The business you save could be your own.

4. Download software only from sites you are familiar with, and immediately check it with your anti-virus software.

5. Familiarize yourself with the problem; if you are online, you are at risk for everything on your computer, and this is one problem that is not going away. One of the best places to start learning is the Virus Busters' page the University of Michigan maintains at http://www.umich.edu/~virus-busters/. A more extensive explanation of the SirCam experience can be found here.

6. And as the above site so aptly puts it: "Avoid crappy emailers that allow active content, like the Microsoft Outlook variants. Otherwise, you WILL get bitten by junk like this." Personally, I recommend Eudora for email.

Grand Mal
And then there are the attacks that most end users can't do anything about, such as the Code Red worm. This showed up first as defaced Web pages; a previously normal-looking page would all of a sudden say:

Welcome to http://www.worm.com ! Hacked By Chinese!

There is no direct evidence that the Chinese had anything to do with this, and this message may be a case of mis-direction. Or it could be the first blow in an international CyberColdWar. The cause of this was a widely-reported security hole in the IIS Web serving software that MicroSoft foists. Once the hole was reported, MS issued a software patch to fix it, but not everybody applied the fix. The worm installs itself into an unpatched system and then goes looking around the Internet for other servers to attack. See sidebar to determine if your computer is at risk.

Code Red also has the unusual capability of crashing printers; The HP JetDirect Card J3111, included with most HP Laserjet 4000 computers, is vulnerable to the Code Red Worm, and there have been reports of the QMS 2060 being affected as well. Symptoms include endless printing of diagnostic pages and "EIO 2" errors. The cure is to reload the printer's firmware with software from the manufacturer.

Code Red hit home to a lot of us cable modem users one weekend in July when our modems started flashing and no Internet access was possible. This was the worm knocking at our doors, looking for a home. As most of us don't run the IIS software, our computers were not at risk, but the attack soaked up enough bandwidth to totally mess with our access. I hate when that happens.

ATTENTION
WINDOWS 2000 USERS:

Experts believe that many of the systems currently infected with Code Red belong to home PC users who do not realize that they have the IIS server software installed.

Systems running Windows 3.1, 95, 98, and ME are not vulnerable.

Note that ANY system running Microsoft Windows 2000 (any version including Professional) may have a vulnerable IIS server installed. It is often possible that an IIS server is installed without the user's knowledge. Please check the FAQ here for information on determining if a system is vulnerable and how to patch it if it is:

http://www.incidents.org/react/code_red.php
Go to Next Article
Go to Previous Article
Go to "Small Business and the Internet" Index
Go to MondoDyne

© 2003, Mike Gould. All Rights Reserved.
HOME - Mac Support - Web Works - Writing - About Mike
B-2-B Articles - Photography - Send Me Email - 734 904 0659
MonodoDyne <M> The Sound of One Hand Clicking...

Entire Site © 2008, Mike Gould - All Rights Reserved