[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
(TFT) Found the spam virus info here W32-SirCam@MM.html
W32/SirCam@MM
Virus Info Center
Recent Updates
Joke Programs
Trojans
Hoaxes
Web Viruses
White Papers
Profile
Virus Name
W32/SirCam@MM
Variants
None
Description Added
7/17/01 5:20:40 PM
Virus Information
Discovery Date: 7/17/01
Origin: Unknown
Length: 137,216
Type: Virus
SubType: E-mail
Risk Assessment: High
Minimum Engine: 4.0.70
Minimum Dat: 4148
DAT Release Date: 07/18/2001
Virus Characteristics
Jul 23 - Due to the increase in samples, the
risk assessment for W32/SirCam@MM has been updated to a HIGH
risk. AVERT will be releasing the 4149 DATs (the full set
and incrementals) to include scanning of files with the .LNK
extension mentioned below. VirusScan TC and VirusScan 4.51
users can take advantage of this if they are using the
default extension list.
The 4149 DATs are now available. Please use the
update -
http://www.mcafeeb2b.com/naicommon/download/dats/find.asp
All other users must update the extension list
as noted below or SCAN ALL FILES.
Jul 22 For detection of W32/SirCam@MM, the LNK
and PIF extensions need to be present on the extension list
or SCAN ALL FILES must be chosen.
This mass-mailing virus attempts to send itself
and local documents to all users found in the Windows
Address Book and email addresses found in temporary Internet
cached files (web browser cache).
It may be received in an email message
containing the following information:
Subject: [filename (random)]
Body: Hi! How are you?
I send you this file in order to have your
advice
or I hope you can help me with this file that I
send
or I hope you like the file that I sendo you
or This is the file with the information that
you ask for
See you later. Thanks
--- the same message may be received in
Spanish ---
Hola como estas ?
Te mando este archivo para que me des tu punto
de vista
or Espero me puedas ayudar con el archivo que te
mando
or Espero te guste este archivo que te mando
or Este es el archivo con la informacisn que me
pediste
Nos vemos pronto, gracias.
--- end message ---
Although other message body possibilities are
present in the virus,
these aren't actually being generated
frequently.
Attached will be a document with a double
extension (the filename varies). The first extension will be
the file type which was prepended by the virus. When run,
the document will be saved to the C:\RECYCLED folder and
then opened while the virus copies itself to
C:\RECYCLED\SirC32.exe folder to conceal its presence and
creates the following registry key value to load itself
whenever .EXE files are executed:
HKCR\exefile\shell\open\command
\Default="C:\recycled\SirC32.exe" "%1" %*
As the RECYCLE BIN is often on the exclusion
list, check your settings to insure that this directory IS
being scanned.
It also copies itself to the WINDOWS SYSTEM
directory as SCam32.exe and creates the following registry
key value to load itself automatically:
HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Driver32=C:\WINDOWS\SYSTEM\SCam32.exe
A list of .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG,
.PDF, .PNG, .PS, and .ZIP files in the MY DOCUMENTS folder
is saved to the file SCD.DLL (the 2nd character of the name
appears to be random) in the SYSTEM directory. Email
addresses are gathered from the Windows Address Book and
temporary Internet cached pages and saved to the file
SCD1.DLL (the 2nd and 3rd character of the name appears to
be random) in the SYSTEM directory.
The worm prepends a copy of the files that are
named in the SCD.DLL file and attaches this copy to the
email messages that it sends via a built in for
communicating directly with a SMTP server, using one of the
following extensions: .BAT, .COM, .EXE, .LNK, .PIF. This
results in attachment names having double-extensions.
The program creates a registry key to store
variables for itself (such as a run count, and SMTP
information):
HKLM\Software\Sircam
The virus may also infect other systems by using
open network shares. On remote systems the file
\windows\rundll32.exe might get replaced with a viral copy.
On those systems, it might also append the autoexec.bat with
the line: @win \recycled\sirc32.exe.
Aside from e-mail overloading, it might delete
files on 16 October and/or fill up harddisk space by adding
text entries over & over again to a sircam recycle bin file.
Symptoms
Presence of SCam32.exe in the WINDOWS SYSTEM
directory.
Method Of Infection
This virus sends itself, as an executable, to
email recipients found in the Windows Address Book and
addresses found in cached files. This executable is appended
with a document if one is found in MY DOCUMENTS folder. The
mailing routine talks SMTP to a server and will use server
address found in infected executables. This address is
presumably captured from the victim's machine which sent the
virus to you. If that server is not in operation, or if
relaying is not permitted, the virus attempts to use each of
these three servers, stopping when the first successful send
occurs.
doubleclick.com.mx
enlace.net
goeke.net
Removal Instructions
Use specified engine and DAT files for detection
and removal.
Windows ME Info:
NOTE: Windows ME utilizes a backup utility that
backs up selected files automatically to the C:\_Restore
folder. This means that an infected file could be stored
there as a backup file, and VirusScan will be unable to
delete these files. These instructions explain how to remove
the infected files from the C:\_Restore folder.
Disabling the Restore Utility
1. Right click the My Computer icon on the
Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System
Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer.
Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all
infected files, or browse the file's located in the
C:\_Restore folder and remove the file's.
12. After removing the desired files, restart
the computer normally.
NOTE: To re-enable the Restore Utility, follow
steps 1-9 and on step 5 remove the check mark next to
"Disable System Restore". The infected file's are removed
and the System Restore is once again active.
Registry Entries:
The W32/SirCam@MM virus makes changes to the
registry.
HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Driver32=C:\WINDOWS\SYSTEM\SCam32.exe
HKLM\Software\Sircam
In Infected state:
HKCR\exefile\shell\open\command
\Default="C:\recycled\SirC32.exe" "%1"%*
In Clean state this should be:
HKCR\exefile\shell\open\command \Default=""%1"%*"
Note that manual modification of registry items
is dangerous and should not be needed at all as VirusScan
will clean all the registry items automatically.
Download self-extracting EXTRA.DAT
Not needed if you are already using DAT 4148.
ZIP
SDAT
=====
Post to the entire list by writing to tft@brainiac.com.
Unsubscribe by mailing to majordomo@brainiac.com with the message body
"unsubscribe tft"