Chalk one up for the bad guys.

Almost seven weeks after it started spreading, the SirCam worm is still topping the watch lists of almost every antivirus company.

Market analyst Computer Economics estimates that by the end of August, SirCam had infected 2.3 million computers and caused $1 billion in damages related to cleaning infected systems and to lost productivity.

Although antivirus companies have released updates so that their scanning software can detect SirCam, the worm shows no sign of abating.

The problem is that so many average Joes continue to spread the infectious code because they are naive about the risks on the Internet and haven't updated their antivirus software, said Vincent Weafer, senior director of Symantec's antivirus research center.

"We know we have to have security around our home, and we know we have to have security around our cars. We need it around our computers as well," Weafer said.

That's a concept that a hefty number of home PC users don't understand. In an online study, Symantec found that almost four out of 10 computer users either didn't have antivirus software installed or have never updated the software that came with their computer.

That complacency is one reason SirCam is thriving on the Net, Weafer said. "We need to raise the level of education and awareness."

Others aren't so sure that education will do the trick.

"There definitely is a place for antivirus on the desktop," said Andrew Faris, president of U.S. operations for e-mail service provider MessageLabs. "But one scanner is not enough."

SirCam seems proof of that.

The worm, discovered in mid-July, spreads in e-mail using tactics that are somewhat familiar. Arriving in a message apparently sent by a friend, the worm activates when the attachment is opened. The program infects the victim's computer, grabs a file from the "My Documents" folder, infects it, and sends the infected file to contacts in the computer's Microsoft Outlook address book. The worm also harvests e-mail addresses from Web pages temporarily stored in the computer's Internet cache.

MessageLabs, which filters out malicious e-mail attachments detected in messages from the Internet, has discovered 20,000 copies of SirCam since the start of September. The worm has no competition for the top slot on the company's all-time list of commonly intercepted attachments: At 263,000 total copies and counting, SirCam easily beats out Magistr.A, which has infected almost 93,000 computers since the beginning of June.

Initially, SirCam sneaked by most antivirus companies' scanning software. Only after releasing updates to their virus definitions were the companies able to protect their customers against SirCam. Although corporate customers quickly applied the patch, many home PC users haven't downloaded the updates, Faris said.

The answer is to have far more extensive scanning and filtering by the Internet service providers, Faris said. "We use three scanners and then a fourth," he added. "We're laying down a gauntlet."

That sort of protection is hard for a consumer to duplicate. And unless home computer users are better cordoned off from the Internet, a worse epidemic will eventually hit the Internet, said Rob Rosenberger, editor of the Virus Myths Web site and normally a skeptic of the hype surrounding viruses.

"A virus incident will come and it will be super-deadly," he said. "But that may not be such a bad thing--maybe it should come, I'm thinking philosophically."

Rosenberger said that just as plane crashes and car accidents spurred people to find ways of making those modes of transportation safer, a massive virus incident could make the Internet safer.

"We are learning our lessons the hard way," Rosenberger said. "Right now, we are not serious about SirCam, and the virus problem is only getting worse."

By Robert Lemos
ZDNet News