W32.Sircam.Worm@mm alias W32/Sircam@mm, I-Worm.Sircam is a network-aware Win32 worm. It was originally rated as Low Risk, but Friday officials at Network Associates and Symantec Corp. both said instances of infection "continue to increase significantly." The worm spreads via email and by using open network shares. The worm arrives in an email with a random subject and body text. The attached filename is also randomly chosen, but it has a double extension (for instance, .doc.com or .mpg.pif).

If the attachment is opened, the worm copies itself into the Windows System directory with the filename scam32.exe. The worm also copies itself as a file called sirc32.exe to the Recycled files directory with its file attributes set to hidden. The worm changes the some registry keys before any other executable file is opened.

If the worm finds any open network share, it will attempt to copy itself into the Windows directory on the machine with an open share, with the filename rundll32.exe. The original rundll32.exe file is renamed to run32.exe. If this is successful, the worm changes the file autoexec.bat so that it includes a command to run the worm file previously dropped to the Windows directory.

The worm contains its own SMTP routine which is used to send email messages to email addresses found in the Windows address book and the temporary internet folder, where cached internet files are kept.