From: Dan Allen
Sent: Friday, July 27, 2001 1:23 PM
Subject: Sircam Virus Explained

Recently a new virus has been going around called the W32.Sircam.Worm. It attacks Windows systems: 95/98/ME/NT/2000 all are infected, although it does not replicate on NT/2000 due to a bug in this programmer's code. I never get viruses because all viruses spread by either:

We all know not to run any file that comes in email as an EXE unless it is from a very trusted source. No problem with a).

We all should know not to open Word and Excel documents sent as email attachments unless we have "macro virus checking" on. (It is a setting in Word & Excel 97 and later.) This is how the Melissa virus ran. If macro virus checking is on you will be asked if you want to run a macro rather than it just running. So b) isusually not a problem either.

I however, got hit with this new Sircam virus because of several very clever things which this virus did. If you run Windows, read on. If you don't run Windows, you are wise. (This bug will not occur on Macs or Unix machines because it contains a Win32 executible (EXE) I use the term EXE here for any application or tool that contains Intel x86 binary code. Word is an EXE, Excel is an EXE, and Windows is a large collection of EXEs).

What Happens

This worm arrives as a random file in your inbox. A short message says to check out the enclosed document. The document has TWO FILE SUFFIXES: the one that hit me was .doc.pif. The second suffix can be .com, .lnk, .bat, or .pif. Did you know that Windows will run any file that ends in .com, .exe, .lnk, .bat, or .pif? I didn't know this and I know a lot about Windows.

Try this: duplicate any legitimate .EXE on your machine and rename it to foo.pif, or foo.lnk. Double click and this EXE will be run, no questions asked. A legal .pif file never has executible code in it -- it is just MS-DOS settings, but Windows will launch it just the same. (Bug) Did you know that Windows hides the .lnk and .pif extensions? When the file arrived in my email (Outlook 2000), it was shown as foo.doc, NOT foo.doc.pif! (Bug) I opened the Word document and voila, the .pif suffix -- the invisible .pif suffix -- meant the Word document was not opened by Word but was in fact EXECUTED, which got the worm running on my machine. The worm virus immediately launched Word with the document so all that I saw happen was a Word document open, just as I expected. However, the worm virus then began its clever madness quietly, invisibily.

This happens because the virus code prepends itself to a real Word document. If you open the document in Word it appears to be a poorly formatted Word document. This is because the file format is not in normal Word format and Word tries its best to show you something, usually raw ASCII without any fonts or styles. Beware! (All of this could also apply to spreadsheets too.) The virus code mislabeled itself. Once the worm runs, the damage begins: it randomly mails documents from your machine to people in your address book and even looks for email addresses found in your Internet Cache. Many people you've never emailed get your personal documents. It can also (1 in 20 chance) delete all the files on your hard disk. All the while the virus is prepending itself to these other documents thus causing the virus to spread. The virus copies itself to other machines on the network if it can; it hides in Temp directories and Recycle bins and is quite hardy. It also modifies the registry so that when an EXE on your machine is run -- any application whatsoever -- the virus code itself is run instead , and the virus being smart in its deception will then itself run the EXE that you want to run, thus maintaining the facade of a normally working system. Specifically the registry key:

is set to
  c:\Recycler\sirc32.exe "%1" %*
instead of

  "%1" %*

This illustrates something else I was unaware of: Windows allows the file suffix of an EXE to be taken over in the registry! Very clever. (One could write a simple application logger using this facility...)

So how to protect against this? Drag the word document out of the email onto your desktop rather than opening it from within your email. When it appears on your desktop you will finally get to see the two file extensions on its name (.doc.pif) and then you will know that something sneaky is about to happen. Don't open it as it is! Rename it to simply .doc, however, and you can then safely open it because Word will not execute the worm code--it will simply display the code as garbage characters.

Whose fault is it? I believe the biggest bug is in the email programs (and Internet Explorer for that matter since they all share a common dialog) which prompts you whenever you open an attachment (or go to download a file in IE) -- and this dialog does not show the .pif extension! In fact, another bug is in Windows itself for blindly executing binary code found in a .pif file. If the .pif info isn't there, it should quietly do nothing or alert the user that their .pif file is screwed up. In either case, and especially in the case where both of these bugs occur at once, the problem is very bad and is absolutely Microsoft's fault.

How to recover from it? Check out for a program that will scan and deleted infected files that contain the worm code at the start of the document. It will clean your registry, etc. Seems to work okay, although I ended up doing it by hand so I could understand all of this. Note that I personally do not recommend running any virus-checking software as they are themselves a virus that cause more problems than what they do. This virus got past many virus checkers anyway.

Just be wise about running .exe, .com, .bat, .pif, and .lnk files as attachments and know that Windows does not show many of these extensions at the critical place you need to see them. Dan PS - Between this and the Windows XP activation issue, I'm seriously going to consider abandoning all use of PCs over the coming months. Mac OS X is my future.

Kevin Purcell of Microsoft pointed out that there are many different file types that have the possible problem of execution. The list includes .ade, .adp, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .hta, .inf, .ins, .isp, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .pcd, .pif, .reg, .scr, .sct, .shs, .url, .vb, .vbe, .vbs, .wsc, .wsf or .wsh.

Note also that this problem occurs even when extensions are shown. It is suggested that Service Pack 1 for Outlook 2000 will fix this. See for more info.

Back to Dan's Home Page

Created:  27 Jul 2001
Modified: 27 Jun 2003  (C:\Recycled -> C:\Recycler    shellopen -> shell\open)