posted on July 19, 2001 07:30:22 AM
Couldn't find a listing for the virus specifically as you have it listed, but I did find something that might be it:
http://www.symantec.com/avcenter/venc/data/[email protected]
Here is a copy and paste of the text:
W32.Sircam.Worm@mm
Discovered on: July 17, 2001
Last Updated on: July 18, 2001 at 12:35:10 PM PDT
Printer-friendly version
W32.Sircam.Worm@mm contains its own SMTP engine, and propagate in a manner similar to the W32.Magistr.Worm. SARC has received several submissions of this worm from corporate customers. The worm is still being analyzed, and this write-up will be updated as new information becomes available.
Also Known As: W32/SirCam@mm, Backdoor.SirCam
Category: Worm
Virus Definitions: July 17, 2001
Threat Assessment:
Wild:
Medium Damage:
Medium Distribution:
High
Wild:
Number of infections: 50 - 999
Number of sites: 0 - 2
Geographical distribution: Medium
Threat containment: Moderate
Removal: Moderate
Damage:
Payload Trigger: October 16th
Payload:
Large scale e-mailing: The worm embed random documents from the infected PC to itself
Deletes files: 1 in 20 chance of deleting all files and directories on C:. Only occurs on systems using D/M/Y as the date format
Degrades performance: 1 in 33 chance of filling all remaining space on the hard disk by adding text to the file c:\recycled\sircam.sys at each startup
Releases confidential info: It will export a random document from the hard drive by appending it to the body of the worm
Distribution:
Subject of email: Filename of attachment
Shared drives: searchs for shared drives and copies itself to those it finds
Technical description:
This worm arrives as an email message with the following content:
Subject: The subject of the email will be random, and will be the same as the file name of the attachment in the email.
Message: The message body will be semi-random, but will always contain one of the following two lines (either English or Spanish) as the first and last sentences of the message.
Spanish Version:
First line: Hola como estas ?
Last line: Nos vemos pronto, gracias.
English Version:
First line: Hi! How are you?
Last line: See you later. Thanks
Between these two sentences, some of the following text may appear:
Spanish Version:
Te mando este archivo para que me des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es el archivo con la informacion que me pediste
English Version:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I send you
This is the file with the information that you ask for
The file names under which this threat have been submitted are:
SirC32.exe
Tech Specs and Financials.doc.com
When executed, the worm will perform the following actions:
1. It creates copies of itself as %TEMP%\<file> and C:\recycled\<file>, which contain the attached document. This document is then launched using the program registered to handle the specific file type (e.g. .DOC -> Winword or WordPad, .XLS -> Excel, .ZIP -> WinZip).
2. It copies itself to C:\recycled\sirc32.exe and %System%\scam32.exe.
4. The registry key HKEY_LOCAL_MACHINE\Software\SirCam is created and it will contain the following values:
FB1B - stores the filename of the worm as stored in the Recycled directory.
FB1BA - stores the SMTP IP address.
FB1BB - stores the email address of the sender.
FC0 - stores the number of times the worm has executed.
FC1 - stores what appears to be the version number of the worm.
FD1 - stores the filename of worm that has been executed, without the suffix
5. The registry key HKEY_CLASSES_ROOT\exefile\shell\open\command is set equal to
C:\recycled\sirc32.exe "%1" %*"
This enables the worm to execute itself anytime a .EXE file is run.
6. The worm is network aware and will enumerate the network resources to infect shared systems. If any are found, it will do the following:
attempt to copy itself to <machine>\recycled\sirc32.exe
add the line "@win \recycled\sirc32.exe" to the file <machine>\autoexec.bat
copy <machine>\Windows\rundll32.exe to <machine>\Windows\run32.exe
replaces <machine>\Windows\rundll32.exe with c:\recycled\sirc32.exe
7. There is a 1 in 33 chance that the following actions will occur:
the worm copies itself from C:\recycled\sirc32.exe to %Windows%\scmx32.exe
the worm copies itself as "Microsoft Internet Office.exe" to the directory referred to by the registry key
8. If this first payload activates, the file c:\recycled\sircam.sys is created and filled with text until there is no remaining disk space. The text is one of two strings:
[SirCam_2rp_Ein_NoC_Rma_CuiTzeO_MicH_MeX]
or
[SirCam Version 1.0 Copyright ¬ 2000 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico]
9. There is a 1 in 20 chance that on October 16th of any year the worm will recursively delete all files and directories on C:
This payload functions only on machines which use the date format D/M/Y (as opposed to M/D/Y, etc)
10. The worm contains its own SMTP server which is used for the email routine.
It obtains email addresses through 2 different methods:
1. It will search the directory referred to by the registry key
for sho*., get*., hot*., *.htm files and copies email addresses from there into the file %Windows%\sc??.dll (where ? is a random letter and number)
2. It searches the entire drive for *.wab (all Windows Address Books) and copies addresses from there.
11. It will search the directories referred to by the registry keys
for files of type .DOC, .XLS, .ZIP, and .EXE. If it finds a match, the corresponding file will be appended to the worm's original executable and this new file will be sent as the email attachment.
12. After 8000 executions, the worm will stop running.
Removal instructions:
To remove the worm:
1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
3. Delete any files detected as W32.Sircam.Worm@mm.
4. Delete the file c:\recycled\sircam.sys if present.
5. Edit the file autoexec.bat and remove the line "@win \recycled\sirc32.exe" if it is present.
Copy Regedit.exe to Regedit.com:
The worm modifies the registry such that an infected file is executed everytime you attempt to run a .EXE file. To correct this you must perform the following steps.
1. Do one of the following, depending on which operating system you are running:
Windows 95/98 users: Click Start, point to Programs, and click MS-DOS Prompt.
Windows NT/2000 users:
1. Click Start, and click Run.
2. Click Browse, and browse to the \Winnt\system32 folder.
3. Double-click the Command.com file, and then click OK.
1. Type copy regedit.exe regedit.com and press Enter.
2. Type start regedit.com and press Enter.
3. Proceed to the section "To edit the registry and remove keys and changes made by the worm" only after you have accomplished the previous steps.
NOTE: This will open Registry Editor in front of the DOS window. After you finish editing the registry and have closed Registry Editor, close the DOS window.
To edit the registry and remove keys and changes made by the worm:
CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry can result in permanent data loss or corrupted files. Please make sure you modify only the keys specified in this document. For more information about how to back up the registry, please read How to back up the Windows registry before proceeding with the following steps. If you are concerned that you cannot follow these steps correctly, then please do not proceed. Consult a computer technician for more information.
1. Navigate to and select the following key:
HKEY_CLASSES_ROOT\exefile\shell\open\command
CAUTION: The HKEY_CLASSES_ROOT key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with an .exe extension from running. Make sure you browse all the way along this path until you reach the \command subkey.
Do not modify the HKEY_CLASSES_ROOT\.exe key.
Do modify the HKEY_CLASSES_ROOT\exefile\shell\open\command subkey that is shown in the following figure:
<<=== NOTE: This is the key that you need to modify.
2. Double-click the (Default) value in the right pane.
3. Delete the current value data, and then type: "%1" %* (That is, type the following characters: quote-percent-one-quote-space-percent-asterisk.)
NOTE: The Registry Editor will automatically enclose the value within quotation marks. When you click OK, the (Default) value should look exactly like this: ""%1" %*"
4. Make sure you completely delete all value data in the command key prior to typing the correct data. If a space is left accidentally at the beginning of the entry, any attempt to run program files will result in the error message, "Windows cannot find .exe." or "Cannot locate C:\ <path and file name>."
5. Navigate to and select the following key:
HKEY_LOCAL_MACHINE\Software\SirCam
6. In the left pane, right-click the mouse on the SirCam entry and select Delete. This will delete the subkey and all of its contents. Since this key was created by the worm it can be safely deleted.
Thanks so much. Unfortunately, it was too late to save the system..it totally destroyed everything. It will be on the way to the tekkies tomorrow to see if they can salvage anything.
This is a nasty one folks. Got my system as well because I'm in her email system. Sigh.
We are using a web based system to try & contact as many people as we can in our email files to let them know.
BTW, it doesn't just go after your address book, it goes after anyone in any file in OE.
