Sircam: Worm, Virus, Trojan Horse?

At Exabeam, we’re not only interested in developing the newest cybersecurity, we’re also fascinated by what we can learn from older security technologies. Each month the History of Cybersecurity 2019 Calendar features key dates in cybersecurity history, along with a related trivia question and other things of interest that occurred in that month during years past.

This is seventh in a series featuring the Cybersecurity Calendar where we look into how Sircam wormed its way into history. Stay tuned for more history around the cybersecurity dates we’ve researched for the rest of the year. If you think we missed an important date (or got something wrong), please let us know. You can also share your feedback with us on Twitter.

It may be hard to believe now, but there was a time when the internet was new to most of us. In fact, before the 1990s, there were many people who didn’t even own a computer. But at the turn of the millennium, that had changed, opening up plenty of opportunities for cybercriminals with coding skills and plenty of free time.

One of the viruses plaguing consumers in the early 2000s was Sircam, a dangerous program that mashed the characteristics of a worm, virus, and a Trojan horse. Sircam was first discovered on July 17, 2001, and arrived in an email, always with the first line of, “Hi! How are you?” and the last line stating, “See you later. Thanks.” Users would often have one of the following four lines in the English version.

• I send you this file in order to have your advice.
• I hope you can help me with this file that I send.
• I hope you like the file that I send to you.
• This is the file with the information that you ask for.

Spreading Through Email

Sircam packed a powerful punch, remaining the number one virus a full eight months after it was first reported. However, it managed to remain less destructive than other viruses at the time, primarily because corporate email servers had security features set to block infected messages. By then, there had been enough viruses that businesses had learn their lessons, and cyberhackers weren’t yet sophisticated enough to get around those filters.

Even when a Sircam-infected email did make it through to the end user, it required the recipient to take action for the virus to install. The user would click on the attachment, which would then execute a file that installed on the system, where it would then hide in the recycle bin, usually completely unnoticed. In the background, the software would send attachments to contacts in the user’s address book, with the goal of continuing to spread the virus.

In 2001, Sircam was the most sophisticated Windows virus, having the complex ability to not only spread using the contents of an infected PC but to also take further action on the infected PC. Although it only was able to do so in about 1 in every 20 instances, the worm had the ability to delete the entire contents of the hard drive on which it was installed. However, if users became aware they had the virus and removed it before that date (October 16), that deletion wouldn’t happen.

Spreading Through Open Share

Individual computers weren’t the only endpoints at risk during Sircam’s reign of terror. In fact, it could spread far faster by making its way through a network. It did this through something called “open file share,” which just referred to computers that had allowed file-sharing with other devices on the same network.

Unfortunately, the design of Sircam meant that it could remain on a network, jumping from computer to computer – and even re-infecting already-cleaned PCs – until the entire network was completely clear of the program. In addition to downloading security patches and keeping their antiviruses updated, end users were urged to avoid opening unfamiliar attachments. These were the early days of consumers learning that just because an attachment looks innocuous, that didn’t always mean it was true.

Email Viruses Still Prevalent

Sircam may have been particularly sinister, but it wasn’t the only virus to spread through email. In fact, a couple of years before Sircam, there was Melissa, a virus released in March 1999 that used Outlook to email the first 50 people in each person’s address book. The ILOVEYOU virus was even more sinister, hitting an estimated 45 million PCs over a two-day period.

Although email viruses have continued to be a part of the warnings regularly issued by cybersecurity experts, it’s not quite as easy for viruses to get through. Many email programs build in protections like spam filters and infection detection. If a user does open an executable attachment, it will likely be caught by whatever malware protection is installed. Still, cyberhackers continue to evolve their efforts, using more sophisticated social engineering techniques like phishing to entice users to input passwords or download files from a site.

Looking back at Sircam’s effect in 2001 shows how far cybersecurity has come. Hackers can no longer commandeer over millions of devices using email attachments, but they have other more “creative” ways to take systems down. Sircam and its aftermath show the importance of continuing to remain vigilant when it comes to protecting against malicious software delivered through everyday corporate tools.