In particular,
http://antivirus.about.com/library/weekly/aa071801a.htm?iam=dpile&terms=%2BSirCam
............................
Documents' folders is one of the most
accessible, whether from the desktop,
Windows Explorer, or the default save to
location in many programs. As a result,
many use it as a repository for all their
data files - even those which contain
sensitive or confidential information. This
practice has never been a good idea as it
gives ill-intentioned intruders a virtual
roadmap to your personal and work output. The
SirCam worm takes
the vulnerability one step further, using the
contents of the folder
to package and disguise itself to others.
Sircam, (a.k.a. I-Worm.Sircam, W32.Sircam, and
W32/SircCam)
mass mails itself using addresses found in the
Windows Address
Book and in cached email addresses found on the
system. The
attachment it sends is a compilation of its
infection routine and a
file found in the My Documents folder. The
original name of the file
is left intact, with an executable extension
appended to it. For
example, .PIF, .COM, or .EXE would be added to
the orginal
filename, thus myphoto.jpg would become
myphoto.jpg.exe. Users
who did not have file extension viewing enabled
would see only the
original extension and in the example above,
could be tricked into
believing an executable file was actually a
harmless image file.
The worm then mails itself in an email with
following message body:
Hi! How are you?
I send you this file in order to have your
advice
See you later! Thanks
The subject line of the email is the name of the
orginal file. When
the infected attachment is executed, whatever
file was "lifted" from
the sender's My Document folder is displayed,
thus disguising the
SirCam worm's actions. This is particularly
risky, as an infected user
who stores confidential data in the My Documents
folder could
easily find proprietary and sensitive data
mass-mailed to others.
SirCam then copies itself to the Recycle Bin,
C:\recycled\SirC32.exe, in an attempt to avoid
detection by some
antivirus scanners. The worm modifies the
registry,
[HKEY_CLASSES_ROOT\exefile\shell\open\command],
so that the
worm is run first when any .EXE on the system is
run. This method
makes improper removal of the worm a dangerous
proposition. If the
worm is deleted before the registry modification
is corrected, no
.EXE on the system will run.
Complete removal instructions, either manually or
via an automated
tool can be found at:
http://antivirus.about.com/library/weekly/aa072301a.htm.
Meritt James wrote:
You realize, of course, that there is no way I am going to "open" an
attached Shortcut to MS-DOS Program (double dot file). I suspect a
viral infection.
Robert Shelton wrote:
Part 1.1 Type: Plain Text (text/plain)
Encoding: quoted-printable
Name: Production Feb 7.xls.pif
Production Feb 7.xls.pif Type: Shortcut to MS-DOS Program
(application/x-unknown-content-type-piffile)
Encoding: base64
Download Status: Not downloaded with message
--
James W. Meritt, CISSP, CISA
Booz, Allen & Hamilton
phone: (410) 684-6566
--
James W. Meritt, CISSP, CISA
Booz, Allen & Hamilton
phone: (410) 684-6566