GenMassachusetts-L ArchivesArchiver > GenMassachusetts > 2001-07 > 0996010756
From: "David C. Blackwell" <>
Subject: [GM-L] SirCam worm/virus from AOL and other ISP user(s) (header included)
Date: Tue, 24 Jul 2001 17:39:16 -0400
Hello Jennifer, GenMass List, and abuse at AOL.com
I expect many people are getting this email worm or "virus"
and we should NOT report them to the GenMass list.
Here is a report on it, the SirCam email worm:
http://www.symantec.com/avcenter/venc/data/ (has a free
Sircam removal tool)
The above .html line is a URL link, not an attachment,
I hope everyone knows the difference,
if not, you can cut and paste the URL into your browser, to be "safe".
It IS a NEW (July 17th) and dangerous email worm and
AGAIN everyone should KNOW NOT to click on email attachments
from anyone (know or unknown) unless you are expecting one
You can save an expected attachment if it has a .jpg, or .doc type
and your UPDATED virus software checks it.
Be VERY VERY suspicious of attachments of the .com, or .scr, or .exe, etc.
I have Symantec Norton Antivirus 2001 and it stated that the
attachment file (name.doc.com) was unrepairable and access was denied
when out of curiosity I tried to save it (and test my UPDATED Norton virus
Jennifer you did not state which antivirus program you have
but I expect incurable means the attachment file not repairable.
You CAN NOT tell who really sent the infected email ********,
You can look at the full header of the email and see which company sent it.
Only the sending company can figure out who REALLY sent the infected email
from the Message ID.
In the email I received it was from a customer of AOLs
but the FROM name was Prodigy, so it appears the email worm
CREATES the message from parts of OTHER messages in the infect person's
Often as a reply.
So an email worm like this one might have your name or GenMassachusetts-L on the
because the worm created the message from other messages in the infected
person's Microsoft Outlook!
and that infected person's machine may have a message from you.
Tricky email worm isn't it.
(I do not use MS Outlook. I use Netscape 4.7 browser and email)
The email worm makers are attacking Microsoft and annoying everyone else.
ISP Companies like AOL, who has lots of vulnerable novice users) should have
on their in and out email servers, but there are philosophical worries about
So we the receivers will have the use filters like Norton Antivirus and remember
the automatic? updates.
AND remember not to click on attachments,
(right click and save the attachment
if you are curious about it and run newly updated virus checking on it,
and do not run or start attachments).
It is a big headache for AOL and other ISPs to figure out
which customers have the virus (since the FROM field is bogus)
and to inform the infected users (if AOL and other ISPs bother to do so).
David Blackwell 978 933-7466 workdays
PS here is the only truthful part of the header of the infected email from an
from rly-ip02.mx.aol.com (126.96.36.199) by
mta429.mail.yahoo.com with SMTP; 24 Jul 2001 12:44:50 -0700
from tot-ntc-td.proxy.aol.com (tot-ntc-td.proxy.aol.com
[188.8.131.52]) by rly-ip02.mx.aol.com
with ESMTP id PAA03699 for <>; Tue, 24
Jul 2001 15:08:46 -0400 (EDT)
from ibm (ACB635C5.ipt.aol.com [184.108.40.206]) by
tot-ntc-td.proxy.aol.com (8.10.0/8.10.0) with SMTP id
f6OJ7rc04104 for <>; Tue, 24 Jul 2001
12:07:53 -0700 (PDT)
Only this part of the header can not be faked,
everything else in an email can be faked. DCB
> #3 [GM-L] "Incurable" virus from list ["Jennifer Parks" <jennifereparks@h]
> Subject: [GM-L] "Incurable" virus from list member
> Date: Mon, 23 Jul 2001 21:14:53 -0400
> From: "Jennifer Parks" <>
> I just got a reply to an earlier posting of mine from:
> "Eddie and Wendy Buchanan" <>
Note: this FROM field was probably made up by the email worm/virus form other
in the infected person's Microsoft Outlook. DCB
> It contained an attachment that my virus software termed "incurable. Be
|[GM-L] SirCam worm/virus from AOL and other ISP user(s) (header included) by "David C. Blackwell" <>|