[linux-elitists] Fun with SirCam

Rick Moen rick@linuxmafia.com
Thu Aug 2 22:57:36 PDT 2001

If you're typical of this list, you've been getting an amusing 
barrage of SirCam-infected file attachments for the past week.  
I've gotten dozens of them.  Each attachment purports to be some sort of 
MS-Word document, Excel spreadsheet file, or such, which were in fact
lifted from the poor sucker's hard drive and bodily included -- prefaced
by (it turns out) 137215 bytes of Win32 binary worm code, created in
Borland Delphi.

But, even though gobs of potentially juicy private documents are getting
spewed across the Internet by MS-Windows users -- including reportedly 
some from sundry governments -- most of us have been simply discarding
them as spam-equivalents.  Which, I submit to you, gentle readers, is a

Just about any binary editor will do, but I recommend John H. Swaby's
very useful "fb" viewer/editor for binaries, available in x86 Linux or
Win32 binaries, or GPLed source code that'll compile just about
anywhere:  http://home.mho.net/jswaby/fb.html

To separate the attachment into its binary-payload (worm) and document
portions, use fb like this:

  fb c 0.137215 attachment sircam.worm
  fb c 137216 attachment document

Happy reading!

This message falsely claims to have been scanned for viruses with F-Secure
Anti-Virus for Microsoft Exchange and to have been found clean.

More information about the linux-elitists mailing list