Your PC may have become infected with the Win32/SirCam.137216 virus.
Please inform your IT Department about this problem and scan your PC with an
antivirus scanner and cure/delete any infected files you find.
If this does not detect any viruses you need to install the latest updates to
your antivirus software. These can usually be downloaded for free from your
antivirus software vendors website.
If you are not running any antivirus software then download for free
InoculateIT Personal Edition from http://antivirus.cai.com/
Please do this as soon as possible.
If you have any questions please contact me on +44 1536 464219
Thanks
James Dell
GB IT Helpdesk
Willett Ltd
Details on the virus appear below:
Win32.SirCam.137216 (also known as Win32.SirCam.Worm)
Win32.SirCam.137216 is an email worm which sends itself as well as clean
documents from an infected machine. The worm arrives in a message which may be
either English or Spanish. The English messages appear like this:
Hi! How are you?
I send you this file in order to have your advice
See you later. Thanks
The middle line may be chosen at random from one of the following:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I sendo you
This is the file with the information that you ask for
The Spanish message looks like:
Hola como estas ?
Te mando este archivo para que me des tu punto de vista
Nos vemos pronto, gracias.
The middle line may be one of the following:
Te mando este archivo para que me des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es el archivo con la información que me pediste
The attachment name is variable, but will have a double extension, for example
"SCRIPT.DOC.PIF". The actual extension may be "PIF", "LNK", "BAT", "EXE" or
"COM". The subject of the message matches the attachment name, except without
the extensions. In the above example the subject would be "SCRIPT".
When run, the worm copies itself to "C:\RECYCLED\SirC32.exe" as well as
"SCam32.exe" in the Windows System directory. It modifies two registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Driver32="\SCam32.exe"
HKEY_CLASSES_ROOT\exefile\shell\open\command=""C:\recycled\SirC32.exe" "%1" %*"
The first key causes the worm to run when Windows starts. The second causes the
worm to be run whenever any .EXE program is executed. The worm gets a list of
.DOC, .XLS and .ZIP files in the "My Documents" folder. It appends one of these
files to the end of itself and saves the result to the Recycled folder, adding
the second extension to the filename as listed previously. This file is
attached to the emails that the worm sends.
The worm may make several copies of itself with different DOC, XLS or ZIP files
attached, depending upon what it finds in the "My Documents" folder. It
continually sends these copies out to addresses it finds in the Windows address
book and internet cache files, and may send multiple copies to the same
address.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The information transmitted in this message is intended
only for the person or entity to which it is addressed
and may contain confidential and/or privileged material.
Any review, retransmission, dissemination or other use of,
or taking of any action in reliance upon, this information
by persons or entities other than the intended recipient
is prohibited. If you received this in error, please
contact the sender and delete the material from any computer.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~