FRISK Software International


Summary of W32/Sircam.worm@mm
Alias: I-Worm.Sircam, W32.Sircam, W32/SircCam
Length: 150 Kb
Discovered: 18 Jul 2001
Definition files: 18 Jul 2001
Infection Method: Mass mailing.
 
Jump to:
Brief description
Removal Instructions

Brief Description

Sircam is a mass mailing worm about 150 kilobytes in size. When run it copies itself to 'c:\recycled\SirC32.exe' and as 'SCam32.exe' to the windows system directory. The 'SirC32.exe' is registered as default startup command for EXE files so it will run whenever an EXE file is run. The 'SCam32.exe' file is registered as a driver that makes sure it will be started when the system boots up.

The worm collects e-mail addresses from Windows Address Book to a file called 'scw1.dll' in the system directory (filename can be random).

Another file is then created by the worm. It contains a list of files with certain extensions (e.g. with .DOC, .ZIP, .JPG extensions) located in a user's 'My Documents' folder. Since quite often users keep their personal or company-related documents there, it means that the worm can send out confidential information.

Using its own SMTP engine the worm sends messages the addresses it found. One of the document files is selected from the list and appended to the worm's file. This file will be sent with double extension, for example .DOC.EXE, .ZIP.COM, .JPG.PIF, etc.

When a recepient opens this attachment, his system gets infected and then the included document is displayed. This way the worm's activity is disguised.

Messages sent by the worm look like this:

--Start of message---------------------------------

 Subject: Document file name (without extension)
 From: [user_of_infected_machine@prodigy.net.mx]
 To: [random@email.from.address.book]

 Hi! How are you?

 I send you this file in order to have your advice

 See you later! Thanks

--End of message-----------------------------------

The attached file has the name of the document the worm picked up from infected computer with double extension, for example filename.DOC.EXE, filename.ZIP.COM, filename.JPG.PIF, etc.



Removal Instructions

If your system is infected with the worm first please download this REG file and install it (by double-clicking on it):

Download Sirc_dis.reg from F-Secure

This will remove the worm's reference from the EXE file startup key in the Registry.

Warning! This is really important! The system might become unusable if the worm's file is deleted without modifying the EXE startup key first.

After that the system can be safely disinfected with an anti-virus program. If for some reason the worm's file can't be deleted from Windows (locked file), then you have to exit to pure DOS and delete the worm's file manually or use a DOS-based scanner.

[Analysis: Gergely Erdelyi, F-Secure Corp.; July 18th, 2001]


 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is