My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

I-Worm.Sircam

HIGH
HIGH
(W32.Sircam.Worm@mm, W32/SirCam@mm, Backdoor.SirCam)

Symptoms

The presence of any of the registry keys or files mentioned in the technical description.

Removal instructions:

The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.

The BitDefender SirCamRem.exe tool does the following:
  • it detects I-Worm.Sircam.A;

  • it deletes the files infected with I-Worm.Sircam.A;

  • it kills the process from memory;

  • it repairs the Windows registry.


  • To prevent the virus from replicating itself from infected machines to clean machines, you should try to disinfect all computers in the network before rebooting any of them, or unplug the network cables.

    If you are running Windows 95/98/Me you will have to apply the following patch provided by Microsoft to stop the virus from using the "Share Level Password" Vulnerability.

    You may also need to restore the affected files.

    Analyzed By

    Costin Ionescu BitDefender Virus Researcher

    Technical Description:

    I-Worm.Sircam.A is an Internet and network worm similar to I-Worm.Magistr.A. The virus spreads through e-mail using its own SMTP routine, sending itself to addresses from the Address Book and from cache or through the shared directories.

    It is transmitted through a message with a randomly chosen subject and body, in the form of a combination between the virus infection routine and a file chosen randomly from My Documents.

    The original name of the file is kept, but an executable extension is added (.pif, .exe, .lnk).

    Users who do not have the option to see attachment extensions activated, will only see the original extension and can be easily fooled.

    The body message is as follows:
    Subject: Document file name (without extension)
    From: [user_of_infected_machine@prodigy.net.mx]
    To: [random@email.from.address.book]

    Hi! How are you?
    I send you this file in order to have your advice

    or:

    I hope you can help me with this file that I send
    I hope you like the file that I send you
    This is the file with the information that you ask for

    See you later! Thanks


    or, in Spanish:

    Subject: Document file name (without extension)
    From: [user_of_infected_machine@prodigy.net.mx]
    To: [random@email.from.address.book]

    Hola como estas ?
    Te mando este archivo para que me des tu punto de vista


    or:

    Espero me puedas ayudar con el archivo que te mando
    Espero te guste este archivo que te mando
    Este es el archivo con la informacion que me pediste

    Nos vemos pronto, gracias.


    If the attachment is opened, the worm copies itself in the system directory under the name scam32.exe. It also copies itself into the directory "Recycled" under the name sirc32.exe, which is a hidden file. Then the virus creates the following three keys in the Windows Registry:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services

    with the value Driver32 = %System%\scam32.exe to be accessed when Windows starts, and:

    HKLM\SOFTWARE\Classes\exefile\shell\open\command

    with the value C:\Recycled\sirc32.exe "%1" %*" for the routine infection to be executed before any other EXE file.

    If the virus finds network shared directories, it will try to copy itself into the local Windows directory under the name rundll32.exe. The original file is renamed as run32.exe. If the worm succeeds, it will modify the autoexec.bat file by introducing a new line which will allow it to execute the file previously saved in the Windows directory.

    As a "signature" the author added the following strings in the virus in an encrypted form:
    [SirCam_2rP_Ein_NoC_Rma_CuiTzeO_MicH_MeX]
    [SirCam Version 1.0 Copyright 2001 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico]


    Destructive actions:
    1. It sends randomly, as attachment with the viral code, one of the infected system files at the e-mail addresses from the Address Book.

    2. On a random algorithm (one in 20 infected systems), it deletes all files and directories on the root directory C:\. This happens on oct. 16 of every year, on the systems using the D/M/Y format for standard date. If the attached file (that generated the infection) contains FA2 without being followed by sc, this destructive action happens regardless of date format.

    3. It slows system performances in one of 50 cases, multiplying a .txt file c:\recycled\sircam.sys

    4. I-Worm.Sircam.A sends confidential information too: it might chose one of your extremely confidential files to attach to its viral code and send to your contacts from the Address Book.