Related Resources • Removal Instructions • Virus Encyclopedia • Glossary of terms

Elsewhere on the Web • F-Secure Description • McAfee Description

In Microsoft® Windows, the 'My Documents' folders is one of the most accessible, whether from the desktop, Windows Explorer, or the default save to location in many programs. As a result, many use it as a repository for all their data files - even those which contain sensitive or confidential information. This practice has never been a good idea as it gives ill-intentioned intruders a virtual roadmap to your personal and work output. The SirCam worm takes the vulnerability one step further, using the contents of the folder to package and disguise itself to others.

Sircam, (a.k.a. I-Worm.Sircam, W32.Sircam, and W32/SircCam) mass mails itself using addresses found in the Windows Address Book and in cached email addresses found on the system. The attachment it sends is a compilation of its infection routine and a file found in the My Documents folder. The original name of the file is left intact, with an executable extension appended to it. For example, .PIF, .COM, or .EXE would be added to the orginal filename, thus myphoto.jpg would become myphoto.jpg.exe. Users who did not have file extension viewing enabled would see only the original extension and in the example above, could be tricked into believing an executable file was actually a harmless image file.

The worm then mails itself in an email with following message body:

Hi! How are you?

I send you this file in order to have your advice

See you later! Thanks