Sircam worm spreads, causing corporate aggravation

Eight days after hitting the Internet, the W32.Sircam.worm computer virus continues to spread its troubles into the computers of businesses and users across the U.S. and around the globe.

"We've about ground to a halt here," said Richard Emig, the IT supervisor at Advanced Mixing Technologies, an industrial mixing system maker in Manchester, N.H. "I'm trying to contain things everywhere, as best as I can," he said.

The worm spreads itself automatically through e-mails by sending itself out to everyone in a user's e-mail address book. The virus itself is in an executable file attachment in the e-mails and is started when a user double-clicks on the file to open it. The damage it can cause ranges from annoyances to file and folder deletions.

The worm has been spreading so quickly that antivirus and security companies yesterday began upgrading their warnings about the virus (see story).

Emig said he's been forced to segregate the PCs of two dozen workers at his company to clean up the system slowdown problems and corrupted .dll files caused by the infection. While each PC had antivirus protection, the simple peer-to-peer network itself did not, he said.

Similar problems are being resolved at SelectRegistry.com, a Marshall, Mich.-based bed-and-breakfast online registry site.

"Production has come to a stop,'' said Terry Tassos, a third-party network system engineer called in to fix the damage. "Everyone is afraid to open anything on their computers."

Once he cleaned the worm from the system, Tassos said he installed a corporate edition antivirus package that includes automatic updates to protect the PCs of the seven workers in the company from future virus attacks.

"They're waking up and realizing that antivirus software and updated antivirus signatures are no longer a luxury," he said of customers. "They must have it."

Gerry Whittaker, the owner of Aquasoft Web Hosting in Madras, Ore., said her company received many copies of the virus last weekend through the e-mail account of a spammer who has been causing problems for many of her customers for some time. But in a surprise benefit from the Sircam worm, she now has the real e-mail address of the alleged spammer because the virus sent it to her in an e-mail attack.

Whittaker said infected e-mails had been received by many of the 35 sites her company hosts, but that no one had opened the attached files, limiting any damage.

Nomi Bergman, general manager at Time Warner Cable Inc. in Charlotte, N.C., said the company's Road Runner Carolina Internet service provider (ISP) operation in Herndon, Va., had been hit by the virus, with many customers receiving infected e-mails. The company uses several levels of antivirus protection at the client and network levels to defend itself from attacks, she said.

"Our mail servers have been affected" by slowdowns, "but it hasn't been horrible," Bergman said. "ISPs have to deal with quite a bit of this, which is quite difficult at times."

Steve Gottwals, director of product marketing at antivirus vendor F-Secure Corp. in San Jose, said the Sircam worm is sneakier than others because it attacks all e-mail applications, not just Microsoft Outlook, a favorite hacker target.

The virus may be affecting more small and midsize companies than larger companies because they may not have the financial resources to defend against such attacks, he said.

The potential for damage is compounded by the fact that commercial antivirus scanning engines may not always identify the worm as harmful, according to Ken Dunham, an analyst at SecurityPortal.com in Menlo Park, Calif. That means companies need to maintain multilevel lines of defense in corporate networks, including firewalls and multiple antivirus software packages at the gateway, groupware and client.

Although reports of the virus are coming from around the world, Gottwals said he hasn't seen a lot of damage yet. That could change in October, when the virus is apparently programmed to erase necessary Microsoft Windows operating system files from about one in 20 of the machines it infects. Damage could occur unless the worm is removed, he said.

F-Secure Corp. has posted an alert, as has Sunnyvale, Calif.-based McAfee.com Corp., which also warned about Sircam.

Related stories:

Related:

Copyright © 2001 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon