Sircam is a mass mailing worm about 150 kilobytes in size. When
run it copies itself to 'c:\recycled\SirC32.exe' and as
'SCam32.exe' to the windows system directory. The 'SirC32.exe' is
registered as default startup command for EXE files so it will
run whenever an EXE file is run. The 'SCam32.exe' file is
registered as a driver that makes sure it will be started when
the system boots up.
The worm collects e-mail addresses from Windows Address Book to a
file called 'scw1.dll' in the system directory (filename can be
random).
Another file is then created by the worm. It contains a list of
files with certain extensions (e.g. with .DOC, .ZIP, .JPG
extensions) located in a user's 'My Documents' folder. Since
quite often users keep their personal or company-related
documents there, it means that the worm can send out confidential
information.
Using its own SMTP engine the worm sends messages the addresses
it found. One of the document files is selected from the list and
appended to the worm's file. This file will be sent with double
extension, for example .DOC.EXE, .ZIP.COM, .JPG.PIF, etc.
When a recepient opens this attachment, his system gets infected
and then the included document is displayed. This way the worm's
activity is disguised.
Messages sent by the worm look like this:
--Start of message---------------------------------
Subject: Document file name (without extension)
From: [user_of_infected_machine@prodigy.net.mx]
To: [random@email.from.address.book]
Hi! How are you?
I send you this file in order to have your advice
See you later! Thanks
--End of message-----------------------------------
The attached file has the name of the document the worm picked up
from infected computer with double extension, for example
filename.DOC.EXE, filename.ZIP.COM, filename.JPG.PIF, etc. | 