Hi!
Please, *Do not open any attachments from
"[EMAIL PROTECTED]"
or
"[EMAIL PROTECTED]"
I have been bitten by the SirCam virus and a huge number of emails got sent out
through my "porter" email account. What makes this so incredibly frustrating is that
the blasted bug got through our University's scanning system as well as the virus
scanner on my own personal computer.
Your email was evidently picked up out of my browser's cache files since I don't even
use Microsoft's address book which is what this bugger usually uses.
My deepest apologies. This from someone who has helped over a dozen people clean up
their hard-drives from this blasted trojan.
If you *did* open that attachment then you, too, have been infected by this virus.
You *must* clean your system at once. My virus lay dormant for over a month before it
activated this morning.
If you did open the attachment in the message I sent to you, here's what you have to
do. Please do it immediately because this is a mean little virus.
If you have questions, you may email me at:
[EMAIL PROTECTED]
and I'll do what I can to help. I feel terrible about this.
The only way I got rid of it was to go through the manual removal process outlined
below. It wasn't too bad.
---------------------------------
(From http://www.mcafee.com/anti-virus/viruses/sircam/default.asp?cid=2360)
W32/SirCam@MM Help Center
DESCRIPTION - What virus is this?
This is a HIGH RISK virus that is spread to email recipients found in the
Windows Address Book and addresses found in cached files. The infected
email can come from addresses that you recognize. Attached is a file with
two different extensions. The file name itself varies.
The email message can appear as follows:
Subject: [filename (random)]
Body: Hi! How are you?
I send you this file in order to have your advice
or I hope you can help me with this file that I send
or I hope you like the file that I sendo you
or This is the file with the information that you ask for
See you later. Thanks
--- the same message may be received in Spanish ---
Hola como estas ?
Te mando este archivo para que me des tu punto de vista
or Espero me puedas ayudar con el archivo que te mando
or Espero te guste este archivo que te mando
or Este es el archivo con la información que me pediste
Nos vemos pronto, gracias.
PAYLOAD - What can this virus do?
When run, the document will be saved to the C:\RECYCLED folder and then
opened while the virus copies itself to C:\RECYCLED\SirC32.exe folder to
conceal its presence and creates a registry key value to load itself
whenever .EXE files are executed.
The virus searches for .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG,
.PS, and .ZIP files in the MY DOCUMENTS folder and attempts to send copies
of these documents to email recipients found in the Windows Address Book
and addresses found in cached files.
DETECTION AND REMOVAL
- How can I detect and remove this virus?
McAfee.com VirusScan and Clinic users,
click here to update ActiveShield.
Retail McAfee VirusScan users,
click here to get the latest DAT file.
Scan Your System for Infected Files
McAfee.com VirusScan Online and Clinic users, click here to perform a Scan.
If W32/SirCam@MM is found, use the delete option to remove it.
Rename the Windows Registry Editor
Click on the Start button.
Highlight Run.
Type in COMMAND and hit the OK button. A window will then appear with a
black background. The last line of text in the window will look something
like C:\Windows> (followed by a blinking cursor).
Type in the following at the prompt: COPY REGEDIT.EXE REGEDIT.BAT EXIT The
window will then disappear.
Boot into Safe Mode
Shut the computer down so the power is off.
Wait 20 seconds or so.
Turn the computer on and immediately begin pressing the F8 key on the
keyboard, once every second repeatedly. Do this until the Windows Startup
Menu appears. If you get a keyboard error, press F1 to resume and then
continue pressing the F8 key once every second.
Select Safe Mode from the Windows Startup Menu, then press the Enter key on
the keyboard.
Windows will then boot into Safe Mode.
NOTE: This may take longer than a normal boot.
At the end of the boot process a dialog box will appear informing you that
Windows is in Safe Mode. Click OK on this dialog box.
Windows is now in Safe Mode.
Backup the Registry
Click on the Start button.
Click on Run.
Type REGEDIT.BAT in the Open field.
Click the OK button. The Registry Editor window will appear.
Click on the Registry pull-down menu.
Click on Export Registry File.
In the File Name field type "backup" (without the quotation marks).
In the Save In field be sure that the desktop is selected (if it is not,
click on the pull down menu and select "Desktop").
Select "All" in the Export Range group box.
Click on the Save button. The registry will then be saved.
Click the X in the top right corner to close the Registry Editor.
NOTE: You now have a backup of your Registry saved as "backup" on your
desktop. If you need to restore the Registry you can double-click on the
"backup" file located on the desktop. Once these instructions are complete
and everything is running properly be sure to delete this backup file by
right-clicking on it then left-clicking on Delete from the pop-up menu that
appears. This will ensure that the old registry is not accidentally
restored once the Trojan has been removed.
Remove the Worm Entries from the Registry
As you go through this process, you will be asked to confirm each change.
Make sure that the change is correct, then confirm each change.
Click the Start button.
Click on Run.
Type in REGEDIT.BAT in the Open field.
Click the OK button. The Registry Editor window will appear.
Click on the plus sign next to HKEY_CLASSES_ROOT.
Click on the plus sign next to exefile.
Click on the plus sign next to shell.
Click on the plus sign next to open.
Single-click on command so it is highlighted.
On the right side of the screen is a Name column and a Data column. Locate
and right-click on (Default) under the Name column.
A pop-up menu will appear. Left-click on Modify.
The Edit String dialog box will appear with the value highlighted. Delete
all text in the Value and type the following characters (WITHOUT THE
BRACKETS): ["%1" %*] If you are unsure of how the characters should be, the
following is a spelled out version of the correct characters: quote,
percentage, one, quote, space, percentage, asterisk.
Click the OK button to close the Edit String dialog box.
On the left side of the screen click on the minus sign next to open.
Click on the minus sign next to shell.
Click on the minus sign next to exefile.
click on the minus sign next to HKEY_CLASSES_ROOT.
Click on the plus sign next to HKEY_LOCAL_MACHINE.
Click on the plus sign next to SOFTWARE.
Single click on the SIRCAM folder so it is highlighted, then hit delete.
Click the plus sign next to Microsoft.
Click the plus sign next to Windows.
Click the plus sign next to CurrentVersion.
Single click on the RunServices Folder so it is highlighted.
On the right side of the screen is a Name column and a Data column. Under
the Name column locate and single-click on Driver32 =
C:\WINDOWS\SYSTEM\SCam32.exe so it is highlighted.
Press the Delete key on the keyboard to remove the entry.
Close the Registry Editor by clicking the X in the top right corner.
Remove reference in Autoexec.bat file:
Click Start, and click Run.
Type the following, and then click OK.
edit c:\autoexec.bat
The MS-DOS Editor opens.
Remove the line "@win \recycled\sirc32.exe" if it is present.
Click File and then click Save.
Exit the MS-DOS Editor
Scan your computer for infected files again.
Sheepishly yours,
Kinney Baughman
[EMAIL PROTECTED]
and also
[EMAIL PROTECTED]
