Virus Profile: W32/SirCam@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 7/17/2001
Date Added: 7/17/2001
Origin: Unknown
Length: 137,216
Type: Virus
Subtype: E-mail
DAT Required: 4148
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

- Presence of SCam32.exe in the WINDOWS SYSTEM directory
- Presence of Run32.exe in the WINDOWS directory

Methods of Infection

This virus sends itself, as an executable, to email recipients found in the Windows Address Book and addresses found in cached files. This executable is appended with a document, if one is found, in the MY DOCUMENTS folder. The mailing routine talks SMTP to a server and will use the server address found in infected executables. This address is presumably captured from the victim's machine which sent the virus to you. If that server is not in operation, or if relaying is not permitted, the virus attempts to use each of these three servers in succession, stopping when the first successful send occurs.

doubleclick.com.mx
enlace.net
goeke.net

Aliases

I-Worm.Sircam (AVP), TROJ_SIRCAM.A (Trend), W32.Sircam.Worm@mm (NAV), W32/SirCam.bat, W32/SirCam.dat, Worm.Sircam.A (AVX)
   

Virus Family Statistics (over the past 30 days)

Family Statistics information
Virus Name Infected Files Scanned Files % Infected Computers
W32/SirCam@MM 26135 64522334 0.02

Virus Characteristics

July 23, 2001
The 4149 (or greater) DATs (the full set and incrementals) include scanning of files with the .LNK extension mentioned below. VirusScan TC and VirusScan 4.51 (corporate) users can take advantage of this if they are using the default extension list. All other users, including corporate and retail, must update the extension list as noted below or SCAN ALL FILES.

July 22, 2001
For detection of W32/SirCam@MM, the LNK and PIF extensions need to be present on the extension list or SCAN ALL FILES must be chosen.

This mass-mailing virus attempts to send itself and local documents to all users found in the Windows Address Book and email addresses found in temporary Internet cached files (web browser cache).

It may be received in an email message containing the following information:

Subject: [filename (random)]
Body: Hi! How are you?

I send you this file in order to have your advice
or I hope you can help me with this file that I send
or I hope you like the file that I sendo you
or This is the file with the information that you ask for

See you later. Thanks

--- the same message may be received in Spanish ---

Hola como estas ?

Te mando este archivo para que me des tu punto de vista
or Espero me puedas ayudar con el archivo que te mando
or Espero te guste este archivo que te mando
or Este es el archivo con la información que me pediste

Nos vemos pronto, gracias.

--- end message ---

Although other message body possibilities are present in the virus,
these aren't actually being generated frequently.

Attached will be a document with a double extension (the filename varies). The first extension will be the file type which was prepended by the virus. When run, the document will be saved to the C:\RECYCLED folder and then opened while the virus copies itself to C:\RECYCLED\SirC32.exe folder to conceal its presence and create the following registry key value to load itself whenever .EXE files are executed:

HKEY_CLASSES_ROOT\exefile\shell\open\command
\Default="C:\recycled\SirC32.exe" "%1" %*

As the RECYCLE BIN is often on the exclusion list, check your settings to insure that this directory IS being scanned.

It also copies itself to the WINDOWS SYSTEM directory as SCam32.exe and creates the following registry key value to load itself automatically:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices\Driver32=C:\WINDOWS\SYSTEM\SCam32.exe

A list of .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG, .PS, and .ZIP files in the MY DOCUMENTS folder is saved to the file SCD.DLL (the 2nd character of the name appears to be random) in the SYSTEM directory. Email addresses are gathered from the Windows Address Book and temporary Internet cached pages and saved to the file SCD1.DLL (the 2nd and 3rd character of the name appears to be random) in the SYSTEM directory.

The worm prepends a copy of the files that are named in the SCD.DLL file and attaches this copy to the email messages that it sends via a built in for communicating directly with a SMTP server, using one of the following extensions: .BAT, .COM, .EXE, .LNK, .PIF. This results in attachment names having double-extensions.

The program creates a registry key to store variables for itself (such as a run count, and SMTP information):

HKEY_LOCAL_MACHINE\Software\Sircam

The virus may also infect other systems by using open network shares . On remote systems the file \windows\rundll32.exe may get replaced with a viral copy, while the valid RUNDLL32.EXE file is renamed to RUN32.EXE. On those systems, the AUTOEXEC.BAT file may be appended with the line: @win \recycled\sirc32.exe.

Aside from e-mail overloading, it may delete files and/or fill up harddisk space by adding text entries over & over again to a sircam recycle bin file.

Variants

Variants information
Virus Name Type Subtype Differences
W32/SirCam.gen@MM Virus Internet Worm This detection covers corrupt, SirCam infected, files.
   
Use specified engine and DAT files for detection and removal. This removal includes the correction of the pertinent registry run and exefile registry keys, as well as any necessary Autoexec.bat file modifications.

Users using pre 4148 DAT files should update to the current DATs .

AVERT Stinger can detect and remove the virus and correct all registry and Autoexec.bat file modifications.

If a system is cleaned from DOS, then all registry entries must be cleaned manually (Note that manual modification of registry items is dangerous and should not be needed at all as VirusScan will clean all pertinent registry items automatically. ).

--- Manual Removal Instructions ---

Note: These directions use specific directory pathnames which are commonly used. You may need to modify the drive letter used, and folder paths for the WINDOWS SYSTEM directory.
--- Registry Removal Instructions ---

1) Click START|RUN, type 

COMMAND /C COPY %WINDIR%\REGEDIT.EXE %WINDIR%\REGEDIT.COM

COMMAND /C COPY %WINDIR%\REGEDIT.EXE %WINDIR%\REGEDIT.COM
and hit ENTER
2) Click START | RUN, type regedit.com and hit ENTER
3) Remove references to the virus from this registry key
HKEY_CLASSES_ROOT\exefile\shell\open\command\
It should contain only the value (not including brackets) : ["%1" %*]
4) Delete the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices\Driver32

HKEY_LOCAL_MACHINE\Software\Sircam

--- File Removal Instructions ---

Failure to complete the Registry Removal Instructions before starting these file removal instructions will result in the in ability to run applications. Do not proceed until the registry has been corrected as mentioned above!

--- File Removal Instructions ---

Failure to complete the Registry Removal Instructions before starting these file removal instructions will result in the in ability to run applications. Do not proceed until the registry has been corrected as mentioned above!

1) Click START | RUN type, command.com and hit ENTER
2) Type, attrib -h c:\recycled\sirc32.exe and hit ENTER
3) Type, del c:\recycled\sirc32.exe and hit ENTER

Win9x/ME users only:
4) Type, attrib -h c:\windows\system\scam32.exe and hit ENTER
5) Type, del c:\windows\system\scam32.exe and hit ENTER
6)Type, move c:\windows\run32.exe c:\windows\rundll32.exe and hit ENTER
If prompted for Overwrite the file, choose (Y)es
If Cannot move ... appears then the virus did not move the Rundll32.exe file.

WinNT/2000 users only:
4) Type, attrib -h c:\winnt\system32\scam32.exe and hit ENTER
5) Type, del c:\winnt\system32\scam32.exe and hit ENTER
6) Type, move c:\winnt\run32.exe c:\winnt\rundll32.exe and hit ENTER
If prompted for Overwrite the file, type Y for (Y)es
If Cannot move ... appears then the virus did not move the Rundll32.exe file.

Win9x/ME/NT/2000 users:
(Note: as the Autoexec.bat file is not modified in all instances, steps 9, 10, and 11 may fail for some users. If this happens, then they were not required.)
7) Type exit and hit ENTER
8) Click START | RUN, type write c:\autoexec.bat and hit ENTER
9) Click EDIT | REPLACE, type @win \recycled\sirc32.exe and click REPLACE ALL
10) Click OK
11) Click FILE | EXIT and choose YES to save your changes

--- End Manual Removal Instructions ---

--- End Manual Removal Instructions ---

Additional information for Windows ME users :
NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove theinfected files from the C:\_Restore folder.

Disabling the Restore Utility

1. Right click the My Computer icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active.