Dangerous 'Sircam' virus keeps spreading

SAN FRANCISCO (Reuters) — While the "Code Red" Internet worm grabs headlines and alarms Internet users around the world, a different virus has been quietly wreaking havoc in the background, infecting computers and sending out potentially sensitive files, security experts said on Thursday. The virus, dubbed "Sircam," is responsible for secret documents being leaked from the administration of Ukrainian President Leonid Kuchma this week to the ForUm news Web site (www.for-ua.com), site operators said. A computer at the FBI's National Infrastructure Protection Center became infected with the virus late last month and sent some private, though not sensitive or classified, FBI documents out in e-mails as a result, officials said.The virus, which has been rated high risk by most antivirus vendors, was the top-ranking virus in July, with over 38% of the share of virus infections, according to antivirus software company Central Command.

The Sircam infestation comes amid global concern over the Code Red worm, which has spread across the world's computer networks over the past several weeks. Code Red's effects have been blunted by protective software patches installed on many systems.

Unlike Code Red, Sircam has received little public attention, even though it has a potentially far more damaging effect. After infecting a computer, Sircam sends copies of itself to all e-mail addresses in the PC's address book, and attaches a random file from the computer to each of those e-mails, experts said.

The virus has turned out to be both nastier and longer-lived than experts had expected, partly because its appearance changes as it spreads, said Andy Faris, president of MessageLabs Americas.

"It's a much more serious outbreak than most vendors originally forecast," said Faris. "It's the single most prolific virus in our customer base," of about 3,000 customers and 500,000 users.

Experts first detected Sircam in July and saw its first peak on July 25. Unlike most viruses that die off after they peak, the number of computers infected by Sircam rose again to spike anew on Tuesday, according to e-mail security outsourcer MessageLabs Americas, raising the possibility that it could jump again.

About 200 different Symantec customers have reported at least 10,000 infections, said Steve Trilling, director of research.

"That would vastly underestimate the total number of infected computers," Trilling said. "Based on what we've seen I would be surprised if Sircam had only 100,000" computer infections.

The virus does not target any specific e-mail program, like Microsoft's Outlook, but can affect any e-mail user because it has its own e-mail engine, experts said.

Aside from sending out random files, Sircam can have other harmful effects. Trilling said that, for most infected computers, there was a one-in-50 chance the virus would fill up the hard disk drive and a one in 20 chance that it would follow orders to delete files on Oct. 16.