This is not the case with one of our customers. They are a small firm with about twenty people in the office. The problem that I have is that they have chosen to use the Corel Office Suite instead of Microsoft Office as we do in my office. This poses a problem for me because this means that they use Outlook Express to receive their e-mail messages. Unlike Microsoft Outlook, which has an update that blocks potentially harmful attachments from arriving, Outlook Express lets anything in. This is a virus that arrives as an e-mail with an attachment. The attachment will be a document with a double extension that has been copied and infected on the machine that sent the e-mail.  

What this means to me, as well as them, is that the users at this firm are presented with an e-mail that looks like it has a document attached to it and a message that has a friendly greeting, "Hi, how are you?" The rest of the message is very short and appears to ask for help or advice about the document that is attached. It also comes in a Spanish version for those of you that are bilingual.   

Here is a breakdown of what happens after the infected document has been clicked on. This is from the McAfee Virus Library on the web. Attached will be a document with a double extension (the filename varies). The first extension will be the file type which was prepended by the virus. When run, the document will be saved to the C:\RECYCLED folder and then opened while the virus copies itself to C:\RECYCLED\SirC32.exe folder to conceal its presence and create the following registry key value to load itself whenever .EXE files are executed:  HKCR\exefile\shell\open\command  \Default="C:\recycled\SirC32.exe" "%1" %*  As the RECYCLE BIN is often on the exclusion list, check your settings to insure that this directory IS being scanned.  It also copies itself to the WINDOWS SYSTEM directory as SCam32.exe and creates the following registry key value to load itself automatically: 
HKLM\Software\Microsoft\Windows\CurrentVersion\  RunServices\Driver32=C:\WINDOWS\SYSTEM\SCam32.exe.

A list of .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG, .PS, and .ZIP files in the MY DOCUMENTS folder is saved to the file SCD.DLL (the 2nd character of the name appears to be random) in the SYSTEM directory. E-mail addresses are gathered from the Windows Address Book and temporary Internet cached pages and saved to the file SCD1.DLL (the 2nd and 3rd character of the name appears to be random) in the SYSTEM directory.  The worm prepends a copy of the files that are named in the SCD.DLL file and attaches this copy to the e-mail messages that it sends via a built in for communicating directly with a SMTP server, using one of the following extensions: .BAT, .COM, .EXE, .LNK, .PIF. This results in attachment names having double-extensions.  The program creates a registry key to store variables for itself (such as a run count, and SMTP information):  HKLM\Software\Sircam  The virus may also infect other systems by using open network shares. On remote systems the file \windows\rundll32.exe may get replaced with a viral copy, while the valid RUNDLL32.EXE file is renamed to RUN32.EXE. On those systems, the AUTOEXEC.BAT file may be appended with the line: @win \recycled\sirc32.exe.  Aside from e-mail overloading, it might delete files on 16 October and/or fill up harddisk space by adding text entries over & over again to a sircam recycle bin file.

There are many other viruses that will do a lot more damage to your system. This one seems to have hit the maximum number of people because of how simple it is. I do not remember a virus that I have seen so much of. We have seen the virus try to get to us on about 100 different e-mails. We have also taken the virus off of about 10 systems a week since the 18th of July when it was discovered. If we only see 1 percent of the machines in the area that is a lot of people that have been duped. Hopefully we can make the changes to combat the spread that seems to be steamrolling through the Internet.

There are a few items to check for on your system, to help combat the spread of viruses on your system. Extensions should be showing for Windows Explorer options. This will let you see if a file has a double extension. Hopefully this will alert you to the fact that the file is probably infected with a virus. File extensions lnk and pif should be added to the extensions list or Scan All Files should be chosen within your Antivirus program. This is in addition to the vbs and htm extensions that you should have added to the extension list to combat the loveletter viruses from last year. Remove the Recycle Bin from the list of files that are excluded from scanning within your antivirus program. This is a new thing that SirCam has given to us. 

The last thing I would advise all of you that use Outlook Express to do is to download and install the newest version from the Windows Update site: Internet Explorer 6 is at the bottom of the list in the Preview section at the time of the writing of this article. I have been using it for the last month and have not seen any problems yet. The reason that I like this new version is because of an option that is available on the security tab within Outlook Express. Microsoft has finally seen fit to add the option to keep potentially dangerous content from being received into the e-mail. I am waiting until I receive my next virus so I can open Outlook Express and test it to see if it really stops them. After I see that the virus will be stopped I will be upgrading all of my customers that use the program as fast as I can. 

If we all will get on the same bandwagon and update our systems the way we should, we can at least slow the spread of the viruses down. If you choose not to update then please don't click on the infected stuff.