Peter Ferrie, Péter Ször
Virus Bulletin, September 2001, pp. 8-10
ISSN 0956-9979
September 2001
Although SirCam made a name for itself sending out random files and personal documents from infected PCs, not all of the information that spread with Win32/SirCam was spread by the worm itself. Almost as soon as updated descriptions of SirCam were posted to Web sites, selected texts from these descriptions appeared on other sites, complete with identical spelling errors and inaccuracies.
Evidently the emerging complexity of new 32-bit worms is proving a tough challenge for every one of us in this business: if ExploreZip was boring and difficult to analyse, SirCam was a major pain. SirCam's author tried to make sure that the analysis would not be straightforward. The worm is written in a high-level language, but all the string constants (including its email message) are encrypted in such a way that it took a little while to decrypt completely (at least for some of us).