Cart
I-Worm.Sircam( W32.Sircam.Worm@mm, W32/SirCam@mm, Backdoor.SirCam )
SYMPTOMS: The presence of any of the registry keys or files mentioned in the technical description.TECHNICAL DESCRIPTION: I-Worm.Sircam.A is an Internet and network worm similar to I-Worm.Magistr.A. The virus spreads through e-mail using its own SMTP routine, sending itself to addresses from the Address Book and from cache or through the shared directories.It is transmitted through a message with a randomly chosen subject and body, in the form of a combination between the virus infection routine and a file chosen randomly from My Documents. The original name of the file is kept, but an executable extension is added (.pif, .exe, .lnk). Users who do not have the option to see attachment extensions activated, will only see the original extension and can be easily fooled. The body message is as follows: Subject: Document file name (without extension) From: [user_of_infected_machine@prodigy.net.mx] To: [random@email.from.address.book] Hi! How are you? I send you this file in order to have your advice or: I hope you can help me with this file that I send I hope you like the file that I send you This is the file with the information that you ask for See you later! Thanks or, in Spanish: Subject: Document file name (without extension) From: [user_of_infected_machine@prodigy.net.mx] To: [random@email.from.address.book] Hola como estas ? Te mando este archivo para que me des tu punto de vista or: Espero me puedas ayudar con el archivo que te mando Espero te guste este archivo que te mando Este es el archivo con la informacion que me pediste Nos vemos pronto, gracias. If the attachment is opened, the worm copies itself in the system directory under the name scam32.exe. It also copies itself into the directory "Recycled" under the name sirc32.exe, which is a hidden file. Then the virus creates the following three keys in the Windows Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services with the value Driver32 = %System%\scam32.exe to be accessed when Windows starts, and: HKLM\SOFTWARE\Classes\exefile\shell\open\command with the value C:\Recycled\sirc32.exe "%1" %*" for the routine infection to be executed before any other EXE file. If the virus finds network shared directories, it will try to copy itself into the local Windows directory under the name rundll32.exe. The original file is renamed as run32.exe. If the worm succeeds, it will modify the autoexec.bat file by introducing a new line which will allow it to execute the file previously saved in the Windows directory. As a "signature" the author added the following strings in the virus in an encrypted form: [SirCam_2rP_Ein_NoC_Rma_CuiTzeO_MicH_MeX] [SirCam Version 1.0 Copyright 2001 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico] Destructive actions:
Removal instructions: The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client. The BitDefender SirCamRem.exe tool does the following: To prevent the virus from replicating itself from infected machines to clean machines, you should try to disinfect all computers in the network before rebooting any of them, or unplug the network cables. If you are running Windows 95/98/Me you will have to apply the following patch provided by Microsoft to stop the virus from using the "Share Level Password" Vulnerability. You may also need to restore the affected files. ANALYZED BY: Costin Ionescu BitDefender Virus Researcher |
