Norton Anti-Virus, MIMEsweeper, McAfee ActiveShield Not 100% Effective with Catching the SirCam Virus
A colleague mentioned to me Friday that Norton Anti-Virus was failing to catch the SirCam virus and its email attachment as the email arrived in his Inbox. Searching for SirCam at Moreover quickly yielded articles about this. Agh!
I also learned, however, that Norton DOES catch it if someone tries to click on the attachment. According to an article in The Register, Symantec fails to stop SirCam,
“When SirCam spreads itself by email the messages generated have an invalid or mangled MIME-header, because of which Symantec’s products don’t recognise that an email has an attachment.
“The same bug in Symantec’s desktop software means Norton Antivirus also fails to detect SirCam with its POP email filter. Chien admitted the issue meant Symantec’s email auto protection is ineffective at blocking the prolific worm but stressed that Norton Antivirus would detect SirCam if a users tried to either open or save an infected attachment to disk.”
Baltimore Technologies MIMEsweeper content filtering software has been reported to have a similar problem, too.
And What About McAfee?
Especially being bombarded with so many emails with the virus the past several days, I’ve found that McAfee’s ActiveShield anti-virus software also has not consisently caught the SirCam virus as the email downloads into my Inbox as of the time of this post; however, as soon as I attempt to open the email (just the email, not the attachment!), ActiveShield immediately posts the virus warning.
This sounds like a step above what’s happened with Norton and Baltimore Technologies; however, these 3 haven’t caught SirCam’s email attachment as soon as it arrives, which they all are supposed to do.
Patches On The Way
Patches are being worked on to resolve the issue as quickly as possible for MIMEsweeper and Norton Anti-Virus. So the good news is that while Norton and MIMEsweeper may not consistently catch the SirCam virus and attachment as the email comes into your Inbox (as of the time of this post), from their reports they ARE catching it as soon as someone attempts to save or click on the attachment with the virus.
Email Bombing Is Another Effect of SirCam
SirCam’s email bombing effect can be halting as well, as explained in CNet’s article, SirCam clogs mailboxes, spreads secrets and The Register’s article, SirCam virus hogs connections with spam. So anyone can be greatly impacted by the results of SirCam, even if the computer hasn’t been infected.
I received over 1,000 emails with attached documents and the SirCam virus within 48 hours before my ISP and I worked on blocking them at the server end (whew!). In addition, he caught at least 300 on the server end, too, that he kept from going into my Inbox. I’ve read other reports from a few individuals receiving over 3,000 emails within the same time period.
Another problem is that innocent people have had their email blocked to various servers just because their email addresses have resided in someone’s browser cache or address book that became infected, which the SirCam virus used as an email address when it sent itself out to someone else.
Related at Brainstorms and Raves
- FAQ: What you need to know about SirCam
CNet, July 24, 2001
- Set us up the Sircam
Masochist, July 26, 2001
Instructions and free utilities
To help you check for the virus and remove it if needed:
- Symantec (Norton Anti-Virus) WA.Sircam.Worm@mm Removal Tool
- f-Secure instructions and free removal utility
- McAfee information and instructions