> >
> > W32.Sircam.Worm@mm
> > Discovered on: July 17, 2001
> > Last Updated on: August 21, 2001 at 03:13:03 PM PDT
> >
> > Due to an increased rate of virus submissions, The Symantec
> AntiVirus
> > Research Center (SARC) has upgraded W32.Sircam.Worm@mm from a level 3 to
a
> > level 4 virus threat.
> >
> > W32.Sircam.Worm@mm contains its own SMTP engine, and propagates in
a
> > manner similar to the W32.Magistr.Worm.
> > Due to what appears to be a bug, this worm does not replicate
under
> > Windows NT or 2000.
> >
> > SARC has created a tool to remove this worm.
> >
> > CAUTION: In some cases, if you have had NAV quarantine or delete
> > infected files, you will not be able to run .exe files, however you will
> > still be able to run the removal tool.
> >
> > To obtain the W32.Sircam.Worm@mm removal tool, please click here.
> >
> >
> > Also Known As: W32/SirCam@mm, Backdoor.SirCam
> >
> > Type: Worm
> >
> > Virus Definitions: July 17, 2001
> >
> > Threat Assessment:
> >
> >
> > Wild:
> > High Damage:
> > Medium Distribution:
> > High
> >
> >
> > Wild:
> >
> > a.. Number of infections: More than 1000
> > b.. Number of sites: More than 10
> > c.. Geographical distribution: Medium
> > d.. Threat containment: Moderate
> > e.. Removal: Moderate
> > Damage:
> >
> > a.. Payload Trigger: 1) October 16th, or some attached file
> > contents, triggers file deletion payload. 2) If the file deletion
occured,
> > or after 8000 executions, triggers the space filler payload.
> > b.. Payload:
> > a.. Large scale e-mailing: The worm appends a random document
> from
> > the infected PC to itself and sends this new file via email
> > b.. Deletes files: 1 in 20 chance of deleting all files and
> > directories on C:. Only occurs on systems where the date is October 16
and
> > which are using D/M/Y as the date format. Always occurs if attached file
> > contains "FA2" not followed by "sc".
> > c.. Degrades performance: 1 in 50 chance of filling all
> remaining
> > space on the C: drive by adding text to the file c:\recycled\sircam.sys
> > d.. Releases confidential info: It will export a random
document
> > from the hard drive by appending it to the body of the worm
> > Distribution:
> >
> > a.. Subject of email: Random subject - the filename of the
> > attachment
> > b.. Name of attachment: A file from the sender's computer with
the
> > extension .bat, .com, .lnk, or .pif added to it.
> > c.. Size of attachment: at least 134kb long
> > d.. Shared drives: searchs for shared drives and copies itself
to
> > those it finds
> >
> > Technical description:
> >
> > This worm arrives as an email message with the following content:
> >
> > Subject: The subject of the email will be random, and will be the
> same
> > as the file name of the email attachment.
> > Attachment: The attachment is a file taken from the sender's
> computer
> > and will have the extension .bat, .com, .lnk or .pif added to it.
> > Message: The message body will be semi-random, but will always
> contain
> > one of the following two lines (either English or Spanish) as the first
> and
> > last sentences of the message.
> >
> > Spanish Version:
> > First line: Hola como estas ?
> > Last line: Nos vemos pronto, gracias.
> >
> > English Version:
> > First line: Hi! How are you?
> > Last line: See you later. Thanks
> >
> > Between these two sentences, some of the following text may
appear:
> >
> > Spanish Version:
> > Te mando este archivo para que me des tu punto de vista
> > Espero me puedas ayudar con el archivo que te mando
> > Espero te guste este archivo que te mando
> > Este es el archivo con la informaci=n que me pediste
> >
> > English Version:
> > I send you this file in order to have your advice
> > I hope you can help me with this file that I send
> > I hope you like the file that I sendo you
> > This is the file with the information that you ask for
> >
> > When run, the worm performs the following actions:
> >
> >
> > 1. It creates copies of itself as %TEMP%\<File name> and
> > C:\Recycled\<file name>, which contain the attached document. This
> document
> > is then run using the program registered to handle the specific file
type.
> > For example, if it is saved as a file with the .doc extension, it will
run
> > using Microsoft Word or Wordpad. A file with the .xls extension will
open
> in
> > Excel, and one with the .zip extension will open in your default zip
> > program, such as WinZip.
> >
> > NOTE: The term %TEMP% is the Temp variable, and means that the
> worm
> > will save itself to the Windows Temp folder, whatever its location. The
> > default is C:\Windows\Temp.
> >
> > 2. It copies itself to C:\Recycled\Sirc32.exe and
> > %System%\Scam32.exe.
> >
> > NOTE: %System% is also a variable. The worm will locate the
> \System
> > folder (by default this is C:\Windows\System) and copy itself to that
> > location.
> >
> > 3. It adds the value
> >
> > Driver32=%System%\scam32.exe
> >
> > to the following registry key:
> >
> > HKEY_LOCAL_MACHINE\SOFTWARE\
> > Microsoft\Windows\CurrentVersion\RunServices
> >
> > 4. It creates the following registry key:
> >
> > HKEY_LOCAL_MACHINE\Software\SirCam
> >
> > with the following values:
> > a.. FB1B - Stores the file name of the worm as stored in the
> > Recycled directory.
> > b.. FB1BA - Stores the SMTP IP address.
> > c.. FB1BB - Stores the email address of the sender.
> > d.. FC0 - Stores the number of times the worm has executed.
> > e.. FC1 - Stores what appears to be the version number of the
> > worm.
> > f.. FD1 - Stores the file name of worm that has been executed,
> > without the suffix.
> > g.. FD3 - Stores a value corresponding to the current state of
> the
> > worm.
> > h.. FD7 - Stores the number of mails that have been sent prior
> to
> > any interruption of this process.
> >
> > 5. The (Default) value of the registry key
> >
> > HKEY_CLASSES_ROOT\exefile\shell\open\command
> >
> > is set to
> >
> > C:\recycled\sirc32.exe "%1" %*"
> >
> > This enables the worm to execute itself any time that an .exe
file
> > is run.
> >
> > 6. The worm is network aware, and it will enumerate the network
> > resources to infect shared systems. If any are found, it will do the
> > following:
> > a.. Attempt to copy itself to <Computer>\Recycled\Sirc32.exe
> > b.. Add the line "@win \recycled\sirc32.exe" to the file
> > <Computer>\Autoexec.bat
> > c.. Copy <Computer>\Windows\Rundll32.exe to
> > <Computer>\Windows\Run32.exe
> > d.. Replace <Computer>\Windows\rundll32.exe with
> > C:\Recycled\Sirc32.exe
> >
> > 7. There is a 1 in 33 chance that the following actions will
> occur:
> > a.. The worm copies itself from C:\Recycled\Sirc32.exe to
> > %Windows%\Scmx32.exe
> > b.. The worm copies itself as "Microsoft Internet Office.exe"
to
> > the folder referred to by the registry key:
> >
> > HKEY_CURRENT_USER\Software\Microsoft\
> > Windows\CurrentVersion\Explorer\
> > Shell Folders\Startup
> >
> > 8. There is a 1 in 20 chance that on October 16th of any year,
the
> > worm will recursively delete all files and folders on the C drive.
> > This payload functions only on computers which use the date
format
> > D/M/Y (as opposed to M/D/Y or similar formats).
> >
> > Additionally, the payload will always activate immediately,
> > regardless of date and date format, if the file attached to the worm
> > contains the sequence "FA2" without the letters "sc" following
> immediately.
> >
> > 9. If this payload activates, the file C:\Recycled\Sircam.sys is
> > created and filled with text until there is no remaining disk space. The
> > text is one of two strings:
> > a.. [SirCam_2rp_Ein_NoC_Rma_CuiTzeO_MicH_MeX]
> > or
> > b.. [SirCam Version 1.0 Copyright ¬ 2000 2rP Made in / Hecho
> en -
> > Cuitzeo, Michoacan Mexico]
> >
> > 10. The worm contains its own SMTP engine which is used for the
> > email routine. It obtains email addresses through two different methods:
> >
> > a.. It searches the folders that are referred to by the
registry
> > keys
> >
> > HKEY_CURRENT_USER\Software\Microsoft\
> > Windows\CurrentVersion\Explorer\
> > Shell Folders\Cache
> >
> > and
> >
> > HKEY_CURRENT_USER\Software\Microsoft\
> > Windows\CurrentVersion\Explorer\
> > Shell Folders\Personal
> >
> > for sho*., get*., hot*., *.htm files, and copies email
addresses
> > from there into the file %system%\sc?1.dll
> >
> > where ? is a different letter for each location, as follows:
> >
> > a.. scy1.dll: addresses from %cache%\sho*., hot*., get*.
> > b.. sch1.dll: addresses from %personal%\sho*., hot*., get*.
> > c.. sci1.dll: addresses from %cache%\*.htm
> > d.. sct1.dll: addresses from %personal%\*.htm
> >
> > b.. It searches %system% and all subfolders for *.wab (all
> Windows
> > Address Books) and copies addresses from there into %system%\scw1.dll.
> >
> > 11. It searches the folders referred to by the registry keys:
> >
> > HKEY_CURRENT_USER\Software\Microsoft\
> > Windows\CurrentVersion\Explorer\
> > Shell Folders\Personal
> >
> > and
> >
> > HKEY_CURRENT_USER\Software\Microsoft\
> > Windows\CurrentVersion\Explorer\
> > Shell Folders\Desktop
> >
> > for files of type .doc, .xls, and .zip, and stores the filenames
> in
> > %system%\scd.dll. One of these files will be appended to the worm's
> original
> > executable and this new file will be sent as the email attachment.
> >
> > The From: email address and mail server are taken from the
> registry.
> > If no email account exists, then the current user name will be prepended
> to
> > "prodigy.net.mx", eg if the current user logged on as JSmith, then the
> > address will be "[EMAIL PROTECTED]". Then the worm will attempt to
> > connect to a mail server. This will be either the mail server taken from
> the
> > registry, or one of
> >
> > a.. prodigy.net.mx
> > b.. goeke.net
> > c.. enlace.net
> > d.. dobleclick.com.mx
> >
> > The language used for the mail depends on the language used by
the
> > sender. If the sender uses Spanish, then the mail will be in Spanish,
> > otherwise it will be in English. The attachment is chosen randomly from
> the
> > list of files in the scd.dll.
> >
> >
> >
> >
> > Removal instructions:
> >
> > SARC has created a tool to remove this worm.
> >
> > CAUTION:
> >
> > a.. In some cases, if you have had NAV quarantine or delete
> infected
> > files, you will not be able to run .exe files, however you will still be
> > able to run the removal tool.
> > b.. If you are using Windows Me, and a copy of the worm is
> detected
> > in the _Restore folder when running the tool, the tool cannot remove it
> from
> > that folder, as it is protected by Windows. See the document Cannot
> repair,
> > quarantine, or delete a virus found in the _RESTORE folder, and then run
> the
> > tool again.
> > c.. If you are on a network, or have a full time connection to
the
> > Internet, disconnect the computer from the network and the Internet.
> Disable
> > or password protect file sharing before reconnecting computers to the
> > network or to the internet. Because this worm spreads by using shared
> > folders on networked computers, to ensure that the worm does not
reinfect
> > the computer after it has been removed, Symantec suggests sharing with
> > read-only access or using password protection. For instructions on how
to
> do
> > this, see your Windows documentation or the document How to configure
> shared
> > Windows folders for maximum network protection.
> >
> > IMPORTANT: Do not skip this step. You must disconnect from the
> > network before attempting to remove this worm.
> >
> > d.. If a computer was infected more the once, as can happen when
> > using shared folders across a network, the Run32.exe file will have been
> be
> > overwritten with an infected copy of the Rundll32.exe. If you see more
> than
> > one entry of "@win \recycled\sirc32.exe" when performing the steps in
the
> > section "To edit the Autoexec.bat file", do not attempt to rename the
> file.
> > Instead, you must delete the Run32.exe and the Rundll32.exe files and
then
> > extract an new copy of Rundll32.exe from a clean back up or from the
> Windows
> > installation CD. See your Windows documentation for information on how
to
> do
> > this.
> >
> >
> > To obtain the W32.Sircam.Worm@mm removal tool, please click here.
> >
> >
> > Manual Removal
> > If for any reason you cannot use or obtain the W32.Sircam.Worm@mm
> > removal tool, you must remove this worm manually. To do this, you must:
> >
> > a.. Undo the change that it made to the registry key
> > HKEY_CLASSES_ROOT\exefile\shell\open\command
> > b.. Delete any files detected as W32.Sircam.Worm@mm.
> > c.. Use Windows Explorer to remove Sircam.sys (if it exists)
from
> > the Windows Recycle Bin.
> > d.. Remove the entry (if it exists) that the worm made to the
file
> > Autoexec.bat, . (This will only be present if the worm has spread across
a
> > network.)
> > e.. If the file \Windows\Run32.exe exists, rename it back to
> > \Windows\Rundll32.exe
> > See the sections that follow for detailed instructions.
> >
> > NOTE: If you are on a network, or have a full time connection to
the
> > Internet, disconnect the computer from the network and the Internet.
> Follow
> > the removal procedure on all computers, including the server. Disable or
> > password protect file sharing before reconnecting computers to the
network
> > or to the internet.
> >
> > CAUTION: Do not skip this step. You must disconnect from the
network
> > before attempting to remove this worm.
> >
> >
> > To edit the registry:
> > The worm modifies the registry such that an infected file is
> executed
> > every time that you run a .exe file. Follow these instructions to fix
> this.
> >
> > Copy Regedit.exe to Regedit.com:
> > Because the worm modified the registry so that you cannot run .exe
> > files, you must first make a copy of the Registry Editor as a file with
> the
> > .com extension, and then run that.
> >
> > 1. Do one of the following, depending on which operating system
> you
> > are running:
> > a.. Windows 95/98 users: Click Start, point to Programs, and
> click
> > MS-DOS Prompt.
> > b.. Windows ME users: Click Start, point to Programs, point to
> > Accessories, and then click MS-DOS Prompt.
> > c.. Windows NT/2000 users:
> > 1. Click Start, and click Run.
> > 2. Click Browse, and browse to the \Winnt folder.
> > 3. Double-click the Command.com file, and then click OK.
> >
> > 2. Type the following and then press Enter:
> >
> > copy regedit.exe regedit.com
> >
> > 3. Type the following and then press Enter:
> >
> > start regedit.com
> >
> > 1. Proceed to the section "To edit the registry and remove keys
and
> > changes made by the worm" only after you have accomplished the previous
> > steps.
> >
> > NOTE: This will open the Registry Editor in front of the DOS
window.
> > After you finish editing the registry and have closed Registry Editor,
> close
> > the DOS window.
> >
> > To edit the registry and remove keys and changes made by the worm:
> >
> > CAUTION: We strongly recommend that you back up the system
registry
> > before making any changes. Incorrect changes to the registry can result
in
> > permanent data loss or corrupted files. Please make sure you modify only
> the
> > keys specified in this document. For more information about how to back
up
> > the registry, please read How to back up the Windows registry before
> > proceeding with the following steps. If you are concerned that you
cannot
> > follow these steps correctly, then please do not proceed. Consult a
> computer
> > technician for more information.
> >
> > 1. Navigate to and select the following key:
> >
> > HKEY_CLASSES_ROOT\exefile\shell\open\command
> >
> > CAUTION: The HKEY_CLASSES_ROOT key contains many subkey entries
> that
> > refer to other file extensions. One of these file extensions is .exe.
> > Changing this extension can prevent any files ending with an .exe
> extension
> > from running. Make sure you browse all the way along this path until you
> > reach the \command subkey.
> > Do not modify the HKEY_CLASSES_ROOT\.exe key.
> > Do modify the HKEY_CLASSES_ROOT\exefile\shell\open\command
subkey
> > that is shown in the following figure:
> >
> >
> > <<=== NOTE: This is the key that you need to modify.
> >
> >
> > 2. Double-click the (Default) value in the right pane.
> > 3. Delete the current value data, and then type: "%1" %* (That
is,
> > type the following characters:
> > quote-percent-one-quote-space-percent-asterisk.)
> >
> > NOTE: On Win9x and WinNT systems, the Registry Editor will
> > automatically enclose the value within quotation marks. When you click
OK,
> > the (Default) value should look exactly like this: ""%1" %*" On Win2k
> > systems, the addtional quotation marks will not appear. On Win2k
systems,
> > the (Default) value should look exactly like this: "%1" %*
> >
> > 4. Make sure you completely delete all value data in the command
> key
> > prior to typing the correct data. If a space is left accidentally at the
> > beginning of the entry, any attempt to run program files will result in
> the
> > error message, "Windows cannot find .exe." or "Cannot locate C:\ <path
and
> > file name>."
> > 5. Navigate to and select the following key:
> >
> > HKEY_LOCAL_MACHINE\Software\SirCam
> >
> > CAUTION: Make sure that you go all the way down to the SirCam
key,
> > and that it is selected. It will look similar to the following figure:
> >
> >
> >
> > 6. With the SirCam key selected, press Delete and then click Yes
> to
> > confirm.. This will delete the key and all of its subkeys. Since this
key
> > was created by the worm it can be safely deleted.
> > 7. Navigate to and select the following key:
> >
> > HKEY_LOCAL_MACHINE\Software\
> > Microsoft\Windows\CurrentVersion\RunServices
> >
> > 8. In the right pane, look for and select the value
> >
> > Driver32.
> >
> > 9. Press Delete, and then click Yes to confirm.
> >
> >
> > To remove the worm:
> > 1. Run LiveUpdate to make sure that you have the most recent
virus
> > definitions.
> > 2. Start Norton AntiVirus (NAV), and run a full system scan,
> making
> > sure that NAV is set to scan all files.
> > 3. Delete any files detected as W32.Sircam.Worm@mm.
> >
> > NOTE: If you are using Windows Me, and a copy of the worm is
> > detected in the _Restore folder, NAV cannot remove it from that folder,
as
> > it is protected by Windows. See the document Cannot repair, quarantine,
or
> > delete a virus found in the _RESTORE folder.
> >
> > To empty the Recycle Bin:
> > Because of the way that files are placed there in this case, you
> > cannot just click Empty Recycle Bin as you would with files that are
> deleted
> > in the normal manner. Instead, use Windows Explorer to delete the file
> > C:\Recycled\Sircam.sys if it is present.
> >
> > To edit the Autoexec.bat file:
> > 1. Click Start, and click Run.
> > 2. Type the following, and then click OK.
> >
> > edit c:\autoexec.bat
> >
> > The MS-DOS Editor opens.
> >
> > 3. Remove the line "@win \recycled\sirc32.exe" if it is present.
> >
> > CAUTION: If you see more then one entry of "@win
> > \recycled\sirc32.exe" in the Autoexec.bat file, it means that the
computer
> > was infected more the once. Because of this, the Run32.exe file will
have
> > been overwritten with an infected copy of the Rundll32.exe. As a result,
> you
> > will not be able to rename the file to recover it as directed in the
next
> > section.
> >
> >
> > 4. Click File and then click Save.
> > 5. Exit the MS-DOS Editor
> >
> > To rename the Run32.exe file:
> > If this file exists, it should be renamed back to its original
name.
> >
> > CAUTION: If a computer was infected more the once, as can happen
> when
> > using shared folders across a network, the Run32.exe file will have been
> be
> > overwritten with an infected copy of the Rundll32.exe If you saw more
than
> > one entry of "@win \recycled\sirc32.exe" when performing the steps in
the
> > previous section, do not attempt to rename the file. Instead, you must
> > delete the Run32.exe and the Rundll32.exe files and then extract an new
> copy
> > of Rundll32.exe from a clean back up or from the Windows installation
CD.
> > See your Windows documentation for information on how to do this.
> >
> > 1. Click Start, point to Find or Search, and then click Files or
> > Folders.
> > 2. Make sure that "Look in" is set to (C:) and that Include
> > subfolders is checked.
> > 3. In the "Named" or "Search for..." box, type--or copy and
> > paste--the following file names:
> >
> > run32.exe
> >
> > 4. Click Find Now or Search Now.
> > 5. Right-click the Run32.exe file and then click Rename.
> > 6. Rename it to:
> >
> > rundll32.exe
> >
> > 7. Press Enter.
> >
> >
> >
> > Additional information:
> >
> > Configure Windows for maximum protection
> > Because this virus spreads by using shared folders on networked
> > computers, to ensure that the virus does not reinfect the computer after
> it
> > has been removed, Symantec suggests sharing with read-only access or
using
> > password protection. For instructions on how to do this, see your
Windows
> > documentation or the document How to configure shared Windows folders
for
> > maximum network protection.
> >
> >
> >
> >
> >
> > Write-up by: Peter Ferrie and Peter Szor
> >
> >
> >
> >
> >
>
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
