FYI Virus Alert W32/SirCam@MM
Hope this will help some of you. Another tool that I
found was the Norton file Fixsirc.exe which works well
too.
Peace
King Solomon
--------------------------------------------------------------------------------
************
Virus Name Risk Assessment
W32/SirCam@MM Medium
The latest McAfee DAT files, 4148, should remove this virus.
Virus Information
Discovery Date: 07/17/2001
Origin: Unknown
Length: 137,216
Type: Virus
SubType: E-mail
Minimum Dat: 4148
Minimum Engine: 4.0.70
DAT Release Date: 07/18/2001
Description 07/17/2001
Added:
Virus Characteristics
For detection of W32/SirCam@MM, the LNK
extension needs to be present on to the extension list
or SCAN ALL FILES must be chosen.
This mass-mailing virus attempts to send
itself and local documents to all users found in the
Windows Address Book and email addresses found
in temporary Internet cached files (web browser
cache).
It may be received in an email message
containing the following information:
Subject: [filename (random)]
Body: Hi! How are you?
I send you this file in order to have your
advice or I hope you can help me with this file that
I send or I hope you like the file that I send you
or This is the file with the information that
you ask for.
See you later. Thanks
--- the same message may be received in
Spanish
---
Hola como estas ?
Te mando este archivo para que me des tu punto
de vista or Espero me puedas ayudar con el archivo que
te mando or Espero te guste este archivo que te mando
or Este es el archivo con la información que
me pediste
Nos vemos pronto, gracias.
--- end message ---
Attached will be a document with a double
extension (the filename varies). The first
extension will be the file type which was
prepended by the virus. When run, the document
will be saved to the C:\RECYCLED folder and
then opened while the virus copies itself to
C:\RECYCLED\SirC32.exe folder to conceal its
presence and creates the following registry
key value to load itself whenever .EXE files are
executed:
HKCR\exefile\shell\open\command
\Default="C:\recycled\SirC32.exe" "%1" %*
As the RECYCLE BIN is often on the exclusion
list, check your settings to insure that this
directory IS being scanned.
It also copies itself to the WINDOWS SYSTEM
directory as SCam32.exe and creates the
following registry key value to load itself
automatically:
HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Driver32=C:\WINDOWS\SYSTEM\SCam32.exe
A list of .GIF, .JPG, .JPEG, .MPEG, .MOV,
MPG, PDF, .PNG, .PS, and .ZIP files in the MY
DOCUMENTS folder is saved to the file SCD.DLL
(the 2nd character of the name appears to be
random) in the SYSTEM directory. Email addresses are
gathered from the Windows Address Book and temporary
Internet cached pages and saved to the file
SCD1.DLL (the 2nd and 3rd character of the
name appears to be random) in the SYSTEM directory.
The worm prepends a copy of the files that are
named in the SCD.DLL file and attaches this
copy to the email messages that it sends via a
built in SMTP server, using one of the following
extensions: .BAT, .COM, .EXE, .LNK, .PIF. This
results in attachment names having double-extensions.
The program creates a registry key to store
variables for itself (such as a run count, and
SMTP information):
HKLM\Software\Sircam
The virus may also infect other systems by
using open network shares. On remote systems the
file \windows\rundll32.exe might get replaced with
a viral copy. On those systems, it might also
append the autoexec.bat with the line: @win
\recycled\sirc32.exe.
Aside from e-mail overloading, it might delete
files on 16 October and/or fill up harddisk
space by adding text entries over & over again to a
sircam recycle bin file.
Removal Instructions
Use specified engine and DAT files for detection
and removal.
Windows ME Info:
NOTE: Windows ME utilizes a backup utility that
backs up selected files automatically to the C:\_Restore folder.
This means that an infected file could be stored there as a backup
file, and VirusScan will be unable to delete these files. These
instructions explain how to remove the infected files from the
C:\_Restore folder.
Disabling the Restore Utility
1. Right click the My Computer icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer.
Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all
infected files, or browse the file's located in the C:\_Restore folder and
remove the file's.
12. After removing the desired files, restart
the computer normally.
NOTE: To re-enable the Restore Utility, follow
steps 1-9 and on step 5 remove the check mark next to
"Disable System Restore". The infected
file's are removed and the System Restore is
once again active.
Registry Entries:
The W32/SirCam@MM virus makes changes to the
registry.
HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Driver32=C:\WINDOWS\SYSTEM\SCam32.exe
HKLM\Software\Sircam
In Infected state:
HKCR\exefile\shell\open\command
\Default="C:\recycled\SirC32.exe" "%1"%*
In Clean state this should be:
HKCR\exefile\shell\open\command
\Default=""%1"%*"
Note that manual modification of registry items
is dangerous and should not be needed at all as VirusScan will
clean all the registry items automatically.
The latest McAfee DAT files, 4148, and the Norton File Fixsirc.exe, should remove this virus.
************
----------------------------------------------------------------------------
To unsubscribe/subscribe or view archives of postings, go to the Gambia-L
Web interface at: http://maelstrom.stjohns.edu/archives/gambia-l.html
You may also send subscription requests to [log in to unmask]
if you have problems accessing the web interface and remember to write your full name and e-mail address.
----------------------------------------------------------------------------
|