While Code Red and Code Red II have dominated the security news, a mass-mailing worm called SirCam has been quietly spreading since mid-July. A short note on what it does and why it has been overshadowed.
What SirCam does
The vector is email with an attachment. The attachment is an executable named <random-document>.<some-extension>.{exe,bat,com,scr,pif,lnk} — a double-extension trick similar to ILOVEYOU.
What is interesting about SirCam: when run, it picks a random document from the user's My Documents folder and attaches it to the outgoing copies of itself. The propagation includes the user's actual files.
For the recipient, the email looks like:
Hi! How are you?
I send you this file in order to have your advice
See you later. Thanks
With an attachment that has a real document name (taken from the sender's My Documents) plus a malicious extension.
The consequence: SirCam is exfiltrating documents as part of its propagation. Office documents, personal files, sometimes confidential business material. The recipient gets the file; the worm propagates further.
Why this matters
The data exfiltration is the structurally novel part. Earlier mass-mailing worms (Melissa, ILOVEYOU, AnnaKournikova) sent generic content. SirCam sends real files from the infected machine.
For an organisation hit by SirCam, the data leakage is real. Documents that should not have left the network have left it, attached to copies of the worm sent to whoever was in the user's address book. The recovery is not just "clean the worm" — it is "figure out what was leaked".
Why it has been overshadowed
Three reasons.
Code Red is more spectacular. The IIS-targeting, the rapid propagation, the Whitehouse.gov DDoS — Code Red has dominated press attention. SirCam is more mundane.
Mass-mailing worms are now routine. Three or four major ones in 18 months has lowered the press impact of any individual one.
The damage is harder to quantify. Code Red's compromise count is easy to measure. SirCam's data leakage is per-organisation and rarely public. The aggregate damage is large but invisible.
What operators should do
The usual: strip executable attachments at the relay. The list of dangerous extensions for SirCam includes the usual suspects (exe, bat, com, scr, pif, lnk). Operators with this in place are protected; operators without it are not.
For users on infected hosts: standard cleanup. The worm modifies registry keys for persistence; the cleanup is well-documented by the antivirus vendors.
What this teaches
The mass-mailing worm category has stabilised. Each new variant adds a small twist — SirCam's twist is data exfiltration — but the structural shape is unchanged. The defensive infrastructure (relay filtering, antivirus, attachment blocking) handles them with reduced damage but does not eliminate them.
The deeper lesson: the categories of attack become layered. We now have IIS worms, mass-mailing worms, DDoS toolkits, trojans, and phishing all operating simultaneously. The defensive picture has to address all of them. The cumulative operational cost is increasing.
More as the year develops.