Printer Friendly


Sybari Software, Inc., East Northport, N.Y., developer of Antigen, a comprehensive antivirus, content-management, and e-mail security solution for Microsoft Exchange and Lotus Domino/Notes environments, reported that the e-mail virus known as "SIRCAM" has been raised to a high-risk virus.

This latest e-mail virus threat is no match for Sybari's Antigen. Antigen's Worm Purge and File Filtering features will score high-marks with Antigen users.

"Our users stand protected against this virus with Antigen Worm Purge(TM)," said Joe Licari, director of product management for Sybari Software, Inc. "By enabling Worm Purge and updating to the latest antivirus signature files, administrators can depend on Antigen to automatically purge all e-mail messages carrying this high-risk worm," continued Licari.

As with Antigen File Filtering (AFF) technology, which enables administrators to filter e-mail attachments by filename, wildcards, and by file type, Antigen Worm Purge(TM) is designed to be a proactive tool to prevent new worm threats from spreading before scan engines are updated. Attachment names for worm generated messages can also be placed in the File Filter list under the File Filtering panel for purging as they enter or exit the message stream.

Antigen File Filtering (AFF) enables you to filter an e-mail attachment by filename, with wildcards, and by file type. This unique feature will delete and/or quarantine file attachments meeting the filter criteria of messages entering or exiting groupware environments. Attachments may be scanned by actual name (such as Sircam or Worm) or by file type (.com, .baf, .exe, etc.). If files are sent in a ZIP archive, AFF will scan each file enclosed in the archive. Once a matching file is detected, AFF will automatically delete or quarantine it depending on the criteria specified by the administrator. The intended recipient will then receive a notification message alerting them that the file was deleted or quarantined. If a file is quarantined, a copy will be kept and may be opened by the administrator. The administrator also has the option to forward the quarantined attachment to the intended recipient after being reviewed.


Since 1995, Sybari has the led the market in providing innovative solutions to groupware-based virus and security threats. Today, over 5 million Microsoft Exchange/Outlook and Lotus Domino/Notes seats are virus-free as a direct result of Sybari's Antigen technology. Sybari's Antigen is unsurpassed in providing protection of corporate messaging environments. Antigen's unique architecture institutes a preemptive line of defense from viruses and malicious code. Antigen for Microsoft Exchange and Antigen for Lotus Domino are distributed in more than 50 countries through Sybari's worldwide locations and distribution network. Sybari is headquartered in East. Northport, New York with its International headquarters in Madrid, Spain. Sybari's clients include IBM,, Cable & Wireless, Compaq, Con Edison, Dell, Deloitte & Touche, Eastman Chemical, Getronics, JD Power, Lufthansa, Mayo Foundation, Merrill Lynch, Nortel, Pirelli, Sony, Target, Texaco, Tosco, Union Pacific, US Federal Government, and Visa. Sybari's many strategic partners include Lotus Development (NYSE:IBM), Microsoft (NASDAQ:MSFT), Computer Associates (NYSE:CA), Compaq (NYSE:CPQ), and Sun Microsystems (NASDAQ:SUNW).


W32/Sircam@mm July 20, 2001

W32/Sircam-A, Backdoor.SirCam, WIN32/SIRCAM.WORM

E-mail Characteristics

E-mail Subject: Random Filename

E-mail Body:


Hola como estas?

Te mando este archivo para que me des tu punto de vista Espero te guste este archivo que te mando Espero me puedas ayudar con el archivo que te mando Este es el archivo con la informacion que me pediste Nos vemos pronto, gracias.


Hi! How are you? I hope you can help me with this file that I send I send you this file in order to have your advice I hope you like the file that I send you This is the file with the information that you ask for See you later. Thanks

Attachment Names:

SIRC32.EXE, SCam32.exe, emailed attachments are randomly named


This is an email aware worm; it will normally appear as a file with double extension, like, .xls.pif, etc. The last extension will be one of the following: COM, EXE, BAT, PIF, and LNK.

The worm executable is really prepended to a document, spreadsheet, or zip file from an infected person. That file will be written to disk and opened when the worm is executed so it seems like the mail contained an innocent attachment. This functionality may cause sensitive user data to be sent out.

The subject line contains only the file name of the attached file. Depending on language versions, the message body will be in English or Spanish.

The message body is composed of several lines that are slightly randomly mixed.

This worm can be rather destructive. The destructive routine activates October 16th, and will in some cases delete all files on the C: drive.


As mentioned the worm copies itself over shared network drives as well. In those cases it copies the SIRC32.EXE file over to the remote drive, and also, if possible, replaces the RUNDLL32.DLL on the remote machine with itself. The original RUNDLL32.EXE is copied to RUN32.EXE. It may also copy itself to other file names. It may also attempt to add a reference to itself in the AUTOEXEC.BAT file.

If transferring these types of files is not part of your day-to-day business, Sybari recommends that you create a file filter rule for all files that end with the extensions .exe, .com, .bat, .pif, and .lnk. Currently, Sybari has not reported any outbreaks. To protect your environment from this new variant, and for information on other variants, add the Sybari website: to your browser Favorites.

For more information, call 732/530-3925.
COPYRIGHT 2001 Worldwide Videotex
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2001 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Product Information; Sybari Software's Antigen File Filtering amd Antigen Worm Purge
Publication:Computer Security Update
Date:Sep 1, 2001

Related Articles
Beware Of SirCam.
"SirCam" Breaks Records for Spreading.
SirCam Worm Not Scared By Anti-Virus Products.
E-mail's Weakest Links. (Special Advertising Feature).
Sybari's Antigen provides groupware security. (Technology Trends).
Klez worm most prolific virus of year. (Virus Notes).
Sybari Offers IM Virus Scanner.
Spam filtering.

Terms of use | Privacy policy | Copyright © 2021 Farlex, Inc. | Feedback | For webmasters