Techware Labs Header

Forums have moved

See this announcement for more details, or just go directly there.

  #1  
Old 10-15-2001, 04:55 PM
Keefe Keefe is offline
Administrator
 
Join Date: May 2002
Location: Wisconsin
Posts: 2,337
Send a message via ICQ to Keefe Send a message via AIM to Keefe Send a message via MSN to Keefe Send a message via Yahoo to Keefe
Default SirCam: Will It or Won't It?

12:15 p.m. Oct. 15, 2001 PDT
Wired.com
     
Antiviral companies disagree over whether the SirCam virus will or won't detonate on Tuesday.

Analysis of the worm's code indicated that on Oct. 16, the worm is coded to generate a number that has a 1-in-20 chance of matching a number contained in its code. If it matches, some experts said, an infected drive will be freed of all its files.

But other experts said that SirCam's author -- still unidentified -- made a major error in his programming, and the worm will try but not be able to delete files on infected machines on Oct. 16.

SirCam's code has an error in one crucial segment. The worm generates the random number that launches its deletion attack only after the worm has already run a check for that number, according to Graham Cluley, head of corporate communications at Sophos Anti-Virus. "It seems this was one virus writer who didn't test his code properly," Cluley said.

F-Secure, an antiviral company based in Helsinki, Finland, concurs with Sophos' analysis.

"There's been a lot of false information on SirCam activation because the code is so complex to analyze," Mikko Hypponen, manager of anti-virus research at F-Secure, said. "SirCam is one of the most common viruses out there so it is no wonder people are worried. However, this Tuesday won't be special in any way regarding this virus."

Symantec did not reply immediately to requests for comment about the company's analysis. The company's virus description states that SirCam's payload will activate on Oct. 16.

But a later in-depth look by two Symantec researchers, published in the industry newsletter "Virus Bulletin," does spot (PDF) the flaw in SirCam's code, and suggests that the payload will not trigger on Tuesday.

Messagelabs' Technical Manager Dave White said last Friday that the Oct. 16 payload was active, but the senior anti-virus technologist Alex Shipp said he believed there is a flaw in the code that would disable the payload.

"It seems some researchers missed this when analyzing the virus, and to be fair, this kind of thing is very easy to miss," Shipp said Monday.

McAfee's AVERT Labs has played it safe since the beginning. Its documentation simply states that SirCam may delete files.

"There are reports that SirCam can delete files, but we have not seen this happen in our testing," said Vincent Gullotto, senior director of AVERT. "We included the possibility that SirCam may be able to delete files in order to present clients with a complete picture of reference material from all sources."

Steven Sundermeier, product manager at Central Command, said that SirCam's payload isn't crippled by bad code but also believes that the chance of the worm causing widespread damage tomorrow is slim.

"Because it has to match such an accurate criteria to unleash its payload, the likelihood of SirCam's payload activating and causing a huge deal of damage is not high," Sundermeier said.

Messagelab's Shipp dismissed the possibility that there may be a variant of SirCam that is capable of carrying out the Oct. 16 payload.

"There is only one version of SirCam, and the date-activated payload will not fire due to a bug."

Cluley believes the confusion over what SirCam will or won't do is not due to variants of the virus, but instead is "simply a case of analysts not looking at the virus code in great-enough detail."

Sophos researchers have found a payload that is directly related to the Oct. 16 code, but the chances of it activating are remote.

If users rename any of the standard files SirCam creates (for instance, SIRC32.EXE) and then run that file, SirCam will wipe the files off a hard drive exactly as though the 1 in 20 chance had triggered on Oct. 16.

The news that SirCam may not go on a rampage tomorrow has dashed the hopes of some who had hoped it would cull a few of the virus-infected computers off the Internet.

"At last SirCam is going to punish those idiots that are still running around the Net with infected computers," Marquis Grove, of Security News Portal wrote last week, in response to a Wired News article detailing the expected Oct. 16 activity.

"Frankly I have no sympathy. The deletion of all their files might finally get their virus-infested machines off the Internet."
__________________
It's crazy I'm thinking, just knowing that the world is round.
-http://www.techwarepc.com/ - The Technology Experts
Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is On
Forum Jump


All times are GMT -5. The time now is 07:24 PM. Powered by vBulletin® Version 3.6.5
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Forum style by ForumMonkeys.