'Personal' virus targets Europe

LONDON, England (CNN) -- Computer experts are warning of a new e-mail virus threatening to sweep across Europe sending embarrassing personal documents from unsuspecting users.

"Sircam," which is believed to have originated in Mexico, is a more advanced version of the Love Bug virus and Anna Kournikova worm.

Working through e-mail systems like Microsoft Outlook, it selects files at random from a computer's hard drive to send to every name in the victim's address book.

If the e-mail attachment is opened, embarrassing or commercially sensitive material can be instantly sent to colleagues, bosses, friends or clients.

MORE STORIES How to avoid the Sircam virus -- CLICK HERE

Experts say it is not as threatening as the "ILOVEYOU" and "Melissa" viruses. But they rate it as "nasty" for its delving into personal files and its trick of hoodwinking computer users by selecting names and a subject line with a "friendly feel."

That has led to companies across Europe warning their staffs to be alert to the threat from "Sircam," already rated as "medium risk" in the U.S. because of the sheer number of infections.

"It has been reported in Britain, France, Germany, Italy, Spain -- even Turkey and Greece," said Jason Holloway, UK general manager of Internet security company F-secure. "No country is Europe will be immune."

What makes the virus particularly potent is that e-mail arrives from names the computer user knows, making him or her more likely to open the infected attachment.

Graham Cluley, senior technology consultant with company Sophos Anti-Virus based in Abingdon, southern England, said: "We've had hundreds of reports of companies being hit by this virus.

"It comes as an attachment with an e-mail but it's clever, not only does it scoop up confidential documents on your computer it sends them to everybody in your address book.

"It may well send confidential company secrets or merger plans and at a trivial level your plans to get your boss sacked and take over the company."

The virus was first identified in the U.S. last week and has the added trick of changing the message in the e-mail subject line every time it attacks a new computer. Instead it uses the name of the file that has been taken from the computer's hard disk.

The "familiar" file name varies but usually comes with the file name "SirCam32.exe"or similar.

Its other sophistication is that once it has digested a target user's e-mail address book, it uses its own e-mail system to send material on. So the user cannot trace what messages have been sent, what attachments have been forwarded, or to whom.

The e-mail message is likely to appear as follows:

Subject: [filename (random)] Body: Hi! How are you? I send you this file in order to have your advice or I hope you can help me with this file that I send or I hope you like the file that I send you or This is the file with the information that you ask for See you later. Thanks

The same message may be received in Spanish.

Once a computer is infected, Sircam creates a list of files with extensions such as .doc and .jpg which are located in the user's "My Documents" folder.

When Sircam is run, it copies itself to the Recycling Bin, sets up a directory called 'c:\recycled\SirC32.exe' and appears as 'SCam32.exe' in the Windows system directory. This way the worm's activity is disguised.

U.S. virus firm Symantec last week elevated its warning level from a 3 to a 4 on a scale of 1 to 5, while others designated it as a "medium" risk.

But despite its intrusive nature, Sircam appears to do little in terms of deleted files, anti-virus companies say.

Instructions on how to remove Sircam from an infected computer are posted on most anti-virus Web sites.