ietf
[Top] [All Lists]

Infection with the Win32/SirCam.137216 virus

2001-07-24 05:10:02
Your PC may have become infected with the Win32/SirCam.137216 virus.

Please inform your IT Department about this problem and scan your PC with an 
antivirus scanner and cure/delete any infected files you find.
If this does not detect any viruses you need to install the latest updates to 
your antivirus software. These can usually be downloaded for free from your 
antivirus software vendors website.
If you are not running any antivirus software then download for free 
InoculateIT Personal Edition from http://antivirus.cai.com/ 

Please do this as soon as possible.

If you have any questions please contact me on +44 1536 464219

Thanks

James Dell
GB IT Helpdesk
Willett Ltd

Details on the virus appear below:

Win32.SirCam.137216 (also known as Win32.SirCam.Worm)
Win32.SirCam.137216 is an email worm which sends itself as well as clean 
documents from an infected machine. The worm arrives in a message which may be 
either English or Spanish. The English messages appear like this: 

Hi! How are you? 
I send you this file in order to have your advice
See you later. Thanks 

The middle line may be chosen at random from one of the following: 

I send you this file in order to have your advice
I hope you can help me with this file that I send 
I hope you like the file that I sendo you 
This is the file with the information that you ask for 

The Spanish message looks like: 

Hola como estas ? 
Te mando este archivo para que me des tu punto de vista 
Nos vemos pronto, gracias. 

The middle line may be one of the following: 

Te mando este archivo para que me des tu punto de vista 
Espero me puedas ayudar con el archivo que te mando 
Espero te guste este archivo que te mando 
Este es el archivo con la información que me pediste 

The attachment name is variable, but will have a double extension, for example 
"SCRIPT.DOC.PIF". The actual extension may be "PIF", "LNK", "BAT", "EXE" or 
"COM". The subject of the message matches the attachment name, except without 
the extensions. In the above example the subject would be "SCRIPT". 

When run, the worm copies itself to "C:\RECYCLED\SirC32.exe" as well as 
"SCam32.exe" in the Windows System directory. It modifies two registry keys: 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Driver32="\SCam32.exe"
HKEY_CLASSES_ROOT\exefile\shell\open\command=""C:\recycled\SirC32.exe" "%1" %*" 

The first key causes the worm to run when Windows starts. The second causes the 
worm to be run whenever any .EXE program is executed. The worm gets a list of 
.DOC, .XLS and .ZIP files in the "My Documents" folder. It appends one of these 
files to the end of itself and saves the result to the Recycled folder, adding 
the second extension to the filename as listed previously. This file is 
attached to the emails that the worm sends. 

The worm may make several copies of itself with different DOC, XLS or ZIP files 
attached, depending upon what it finds in the "My Documents" folder. It 
continually sends these copies out to addresses it finds in the Windows address 
book and internet cache files, and may send multiple copies to the same 
address. 



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The information transmitted in this message is intended
only for the person or entity to which it is addressed
and may contain confidential and/or privileged material.
Any review, retransmission, dissemination or other use of,
or taking of any action in reliance upon, this information
by persons or entities other than the intended recipient
is prohibited.   If you received this in error, please 
contact the sender and delete the material from any computer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



<Prev in Thread] Current Thread [Next in Thread>
  • Infection with the Win32/SirCam.137216 virus, Guinevere VirusScan <=