First time I've seen this: the W32.Sircam.worm at mm virus installed itself on my box
jk05308 at alltel.net
Thu Jul 26 04:14:06 BST 2001
A little backround: The network folks where I work setup Lotus Notes for remote access by me.
Opening the Lotus Notes mail while using Konqueror on my SuSE 7.2 box I noticed that one msg
had an attachment that was named Metadata(01).xls.lnk. I also noticed that two other msgs
from the same sender also had attachements but our LN virus filter had cleaned them out. LN
also placed two msgs in my inbox stating that it had neutralized two msgs contaminated with viri.
But, there was a third msg from the same sender (ameo at curtisagency.com) that had its attachment
I decided to play with it. When I clicked on it the SuSE Wine Installation program appeared with
options to install the attachment in both the KDE and the GNOME menus. I selected the KDE option
and let it run. A dialog showing a fake windows solitaire game board appeared, but then closed. No
other activity appeared to take place. When I investigated my directories for new additions I noticed
that in the ./wine directory a complete Win95 subdirectory structure had been created, which was the
work of WINE and not the virus. But, in the recycle directory were two files, Metadata(1).xls.lnk and
SirC32.exe. In the /tmp directory was sircam.exe. The "windows" registery created by Wine had
been corrupted with w32.sircam.worm at mm entires. All of the tracks mentioned on the Symantec
virus site concerning this virus were in place in the wine structures and in the /tmp file.
When I attempted to run Konqueror it complained that 'html' was an unknown mime type. I closed
KDE and restarted it. Konqueror now runs ok.
I also logged into root and ran the chkrootkit but it did not find any problems.
to unsubscribe from this list send an email to kdevelop-request at kdevelop.org with the following body:
More information about the KDevelop