[linux-elitists] Fun with SirCam

Andy Bastien lists@yuggoth.net
Fri Aug 3 08:04:47 PDT 2001


You can also use dd like so:

dd if=sircam.doc.bat of=sircam.doc bs=512 skip=268
dd if=sircam.doc.bat bs=512 skip=268 | catdoc | (perl script to add it to
your web page)

If the length of the worm is 137215 then you're losing 1 byte at the
beginning, but that doesn't seem to matter.


In the depths of that dark day Thu Aug 02, the words of Rick Moen were the beacon:
> If you're typical of this list, you've been getting an amusing 
> barrage of SirCam-infected file attachments for the past week.  
> I've gotten dozens of them.  Each attachment purports to be some sort of 
> MS-Word document, Excel spreadsheet file, or such, which were in fact
> lifted from the poor sucker's hard drive and bodily included -- prefaced
> by (it turns out) 137215 bytes of Win32 binary worm code, created in
> Borland Delphi.
> 
> But, even though gobs of potentially juicy private documents are getting
> spewed across the Internet by MS-Windows users -- including reportedly 
> some from sundry governments -- most of us have been simply discarding
> them as spam-equivalents.  Which, I submit to you, gentle readers, is a
> waste!
> 
> Just about any binary editor will do, but I recommend John H. Swaby's
> very useful "fb" viewer/editor for binaries, available in x86 Linux or
> Win32 binaries, or GPLed source code that'll compile just about
> anywhere:  http://home.mho.net/jswaby/fb.html
> 
> To separate the attachment into its binary-payload (worm) and document
> portions, use fb like this:
> 
>   fb c 0.137215 attachment sircam.worm
>   fb c 137216 attachment document
> 
> Happy reading!



More information about the linux-elitists mailing list