"When an infected computer starts up today, there is a 5 percent chance that SirCam will start to delete all files on the C drive, and remove all files in sub-directories," said Andre Post, senior researcher at antivirus firm Symantec. "It will then try to fill up the hard drive with a fake file, and will expand and take up the full hard drive space."
But the file-deleting payload is only programmed to infect PCs configured with the D/M/Y date format. This will result in regional hits across the globe, placing European and Austrailan PCs in a high-risk category, according to Symantec. "The US will be safe, as everyone has M/D/Y settings -- but in Europe things may be different," said Post.
Antivirus experts at Sophos have dismissed fears of a 16 October attack, claiming that a bug in the virus author's code will prevent the payload from activating. But Symantec is certain that European novice end-users should brace themselves for a return of the destructive SirCam worm. "We know that a lot of these types of viruses contain bugs that can corrupt infections, but the working samples that we have (of SirCam) convince us that there is a one-in-20 chance of reinfection," said Post.
Sircam was first detected on 16 July. Security software firm Trend Micro said it has received reports from 332,000 PCs infected with the worm in the last 30 days. The worm spreads by email and by using open network shares -- if the attachment is opened, SirCam copies itself into the Windows System directory with the filename scam32.exe, and changes the registry key so that it runs on Windows startup. It also contains its own SMTP routine, which is used to send email messages to email addresses found in the infected user's address book and the temporary Internet folder where cached Internet files are kept.
The Poker-like caveat programmed to strike on 16 October is hard-coded for every year. "I am certain that SirCam will still be around next year," said Post.
