July 23,
2001
Due to the increase in samples, the
risk assessment for W32/SirCam@MM has been updated
to a HIGH risk.
The 4149 DATs
(the full set and incrementals) include scanning
of files with the .LNK extension mentioned below.
VirusScan TC and VirusScan 4.51 (corporate) users
can take advantage of this if they are using the
default extension list. All other users, including
corporate and retail, must update the extension
list as noted below or SCAN ALL FILES.
July 22, 2001
For detection of
W32/SirCam@MM, the LNK and PIF extensions need to
be present on the extension list or SCAN ALL FILES
must be chosen.
This mass-mailing virus attempts to send itself
and local documents to all users found in the
Windows Address Book and email addresses found in
temporary Internet cached files (web browser
cache).
It may be received in an email message
containing the following information:
Subject: [filename (random)]
Body: Hi! How are you?
I send you this file in order to have your
advice
or I hope you can help me
with this file that I send
or I
hope you like the file that I sendo you
or This is the file with the
information that you ask for
See you later. Thanks
--- the same message may be received in
Spanish ---
Hola como estas ?
Te mando este archivo para que me des tu punto
de vista
or Espero me puedas
ayudar con el archivo que te
mando
or Espero te guste este
archivo que te mando
or Este es
el archivo con la información que me pediste
Nos vemos pronto, gracias.
--- end message ---
Although other message body possibilities are
present in the virus,
these aren't actually
being generated frequently.
Attached will be a document with a double
extension (the filename varies). The first
extension will be the file type which was
prepended by the virus. When run, the document
will be saved to the C:\RECYCLED folder and then
opened while the virus copies itself to
C:\RECYCLED\SirC32.exe folder to conceal its
presence and create the following registry key
value to load itself whenever .EXE files are
executed:
HKCR\exefile\shell\open\command
\Default="C:\recycled\SirC32.exe" "%1" %*
As the RECYCLE BIN is often on the exclusion
list, check your settings to insure that this
directory IS being scanned.
It also copies itself to the WINDOWS SYSTEM
directory as SCam32.exe and creates the following
registry key value to load itself automatically:
HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Driver32=C:\WINDOWS\SYSTEM\SCam32.exe
A list of .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG,
.PDF, .PNG, .PS, and .ZIP files in the MY
DOCUMENTS folder is saved to the file SCD.DLL (the
2nd character of the name appears to be random) in
the SYSTEM directory. Email addresses are gathered
from the Windows Address Book and temporary
Internet cached pages and saved to the file
SCD1.DLL (the 2nd and 3rd character of the name
appears to be random) in the SYSTEM directory.
The worm prepends a copy of the files that are
named in the SCD.DLL file and attaches this copy
to the email messages that it sends via a built in
for communicating directly with a SMTP server,
using one of the following extensions: .BAT, .COM,
.EXE, .LNK, .PIF. This results in attachment names
having double-extensions.
The program creates
a registry key to store variables for itself (such
as a run count, and SMTP information):
HKLM\Software\Sircam
The virus may also
infect other systems by using open network
shares. On remote systems the file
\windows\rundll32.exe may get replaced with a
viral copy, while the valid RUNDLL32.EXE file is
renamed to RUN32.EXE. On those systems, the
AUTOEXEC.BAT file may be appended with the line:
@win \recycled\sirc32.exe.
Aside from e-mail overloading, it might delete
files on 16 October and/or fill up harddisk space
by adding text entries over & over again to a
sircam recycle bin file.
