Sircam virus steals files

If you get a message bearing this text, delete it.

By BBC News Online technology correspondent Mark Ward

A computer virus called Sircam is using some clever tricks to spread itself and potentially sensitive files around the net.

The virus strikes PCs running Windows, plunders address books for new places to send itself and steals random documents from a machine's hard disk.

It also attempts to disguise itself by changing the main text of the message and choosing a new subject line every time it travels.

The virus, more properly known as a worm, was first detected in mid-July but has slowly been gathering momentum.

Sircam strikes

Anti-virus companies are reporting that the virus christened Sircam has been turning up in ever increasing numbers since it was first discovered on 16 July. Messagelabs said it had caught almost 11,500 copies of Sircam from 110 countries. Over 4,000 copies have been stopped in the last 24 hours.

Possible Sircam texts

"Hi! How are you?"

"I send you this file in order to have your advice"

"I hope you like the file that I sendo you"

"I hope you can help me with this file that I send"

"This is the file with the information you ask for"

"See you later. Thanks"

"Although we have seen significant numbers of this virus in the US, we believe that Europe is still waiting to feel the brunt of the Sircam virus," said Mark Sunner, a MessageLabs spokesman.

Unlike the Love Bug, Naked Wife and Kournikova viruses which spread by exploiting human gullibility and the weaknesses of Microsoft's popular Outlook e-mail program, Sircam contains its own mail program so it can travel with no external help.

But like other viruses, a machine only becomes infected when the message containing the file is opened and the attachment launched.

File mangler

In contrast to other viruses, Sircam can plunder the address books of almost any Windows e-mail program, as well as any e-mail addresses it finds in the cache file of a web browser on an infected machine.

Sircam also steals a random file from the hard disk of an infected machine and attaches this to messages it sends. As a result attachments can vary enormously in size and contribute to the clogging of mail servers. So far, the largest file seen mailed with the virus was 107 megabytes in size.

In an added twist, the subject line of the infected mail message is changed to the name of the plundered file.

Kournikova: virus and tennis player

Viruses such as the Love Bug were easy to warn people about because they always travelled with the same subject line. Every message Sircam sends uses a different subject line. The name picked is the same as the file attached to it.

Already there have been reports of memos, CVs, job listings, diary entries, expense forms and complaint letters being attached to infected messages.

Graham Cluley, a spokesman for anti-virus company Sophos, said Sircam was easily the biggest virus seen this month. "This may be because it has been a few weeks since anything really big has happened on the virus front so people have got complacent," said Mr Cluley.

The text of the Sircam message varies, making it more difficult for people to spot an infected file. However, the virus always begins "Hi! How are you?", and always ends "See you later. Thanks".

The virus is thought to have originated in South America and this perhaps explains why there are both Spanish and English versions of the virus. It also contains a timer that may lead to lots of files on infected computers being deleted on 16 October.

The virus is more properly known as a worm because it can spread itself with no help from other programs.