VIRUS ALERT No.71 -- Friday,
July 20, 2001.
W32/SirCam@MM
DESCRIPTION - What virus is this?
This is a HIGH RISK virus for consumers that is spread to email recipients found in the Windows Address Book and addresses found in cached files. The infected email can come from addresses that you recognize. Attached is a file with two different extensions. The file name itself varies.
The email message can appear as follows:
Subject: [filename (random)]
Body:
Hi! How are you?
I send you this file in order to have your advice
or I hope you can help me with this file that I send
or I hope you like the file that I sendo you
or This is the file with the information that you ask for
See you later. Thanks
--- the same message may be received in Spanish ---
Hola como estas ?
Te mando este archivo para que me des tu punto de vista
or Espero me puedas ayudar con el archivo que te mando
or Espero te guste este archivo que te mando
or Este es el archivo con la información que me pediste
Nos vemos pronto, gracias.
PAYLOAD - What can this virus do?
When run, the document will be saved to the C:\RECYCLED folder and then opened while the virus copies itself to C:\RECYCLED\SirC32.exe folder to conceal its presence and creates a registry key value to load itself whenever .EXE files are executed.
The virus searches for .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF,
.PNG, .PS, and .ZIP files in the MY DOCUMENTS folder and attempts to send
copies of these documents to email recipients found in the Windows
Address Book and addresses found in cached files.
DETECTION AND REMOVAL
How can I detect and remove this virus?
McAfee.com VirusScan and Clinic users, update ActiveShield.
Retail McAfee VirusScan users, get the latest DAT file. Scan Your System for Infected Files
1.McAfee.com VirusScan Online and Clinic users, perform a Scan.
2.If W32/SirCam@MM is found, use the delete option to remove it.
Rename the Windows Registry Editor
1.Click on the Start button.
2.Highlight Run.
3.Type in COMMAND and hit the OK button. A window will then appear
with a black background. The last line of
text in the window will look something like C:\Windows>
(followed by a blinking cursor).
4.Type in the following at the prompt: COPY REGEDIT.EXE
REGEDIT.BAT EXIT. The window will then disappear.
Boot into Safe Mode
1.Shut the computer down so the power is off.
2.Wait 20 seconds or so.
3.Turn the computer on and immediately begin pressing the F8 key
on the keyboard, once every second
repeatedly. Do this until the Windows Startup Menu
appears. If you get a keyboard error, press F1 to resume
and then continue pressing the F8 key once every second.
4.Select Safe Mode from the Windows Startup Menu, then press the
Enter key on the keyboard.
5.Windows will then boot into Safe Mode.
NOTE: This may take longer than a normal
boot.
6.At the end of the boot process a dialog box will appear informing
you that Windows is in Safe Mode. Click OK on this dialog box.
7.Windows is now in Safe Mode.
Backup the Registry
1.Click on the Start button.
2.Click on Run.
3.Type REGEDIT.BAT in the Open field.
4.Click the OK button. The Registry Editor window will appear.
5.Click on the Registry pull-down menu.
6.Click on Export Registry File.
7.In the File Name field type "backup" (without the quotation marks).
8.In the Save In field be sure that the desktop is selected (if it
is not, click on the pull down menu and select
"Desktop").
9.Select "All" in the Export Range group box.
10.Click on the Save button. The registry will then be saved.
11.Click the X in the top right corner to close the Registry Editor.
NOTE: You now have a backup of your Registry saved as "backup" on your desktop. If you need to restore the Registry you can double-click on the "backup" file located on the desktop. Once these instructions are complete and everything is running properly be sure to delete this backup file by right-clicking on it then left-clicking on Delete from the pop-up menu that appears. This will ensure that the old registry is not accidentally restored once the Trojan has been removed.
Remove the Worm Entries from the Registry
As you go through this process, you will be asked to confirm each change. Make sure that the change is correct, then confirm each change.
1.Click the Start button.
2.Click on Run.
3.Type in REGEDIT.BAT in the Open field.
4.Click the OK button. The Registry Editor window will appear.
5.Click on the plus sign next to HKEY_CLASSES_ROOT.
6.Click on the plus sign next to exefile.
7.Click on the plus sign next to shell.
8.Click on the plus sign next to open.
9.Single-click on command so it is highlighted.
10.On the right side of the screen is a Name column and a Data column.
Locate and right-click on (Default) under
the Name column.
11.A pop-up menu will appear. Left-click on Modify.
12.The Edit String dialog box will appear with the value highlighted.
Delete all text in the Value and type the
following characters (WITHOUT THE BRACKETS):
["%1" %*]
If you are unsure of how the characters
should be, the following is a spelled out version of the correct
characters: quote, percentage, one, quote,
space, percentage, asterisk.
13.Click the OK button to close the Edit String dialog box.
14.On the left side of the screen click on the minus sign next to
open.
15.Click on the minus sign next to shell.
16.Click on the minus sign next to exefile.
17.click on the minus sign next to HKEY_CLASSES_ROOT.
18.Click on the plus sign next to HKEY_LOCAL_MACHINE.
19.Click on the plus sign next to SOFTWARE.
20.Single click on the SIRCAM folder so it is highlighted, then
hit delete.
21.Click the plus sign next to Microsoft.
22.Click the plus sign next to Windows.
23.Click the plus sign next to CurrentVersion.
24.Single click on the RunServices Folder so it is highlighted.
25.On the right side of the screen is a Name column and a Data column.
Under the Name column locate and
single-click on Driver32 =
C:\WINDOWS\SYSTEM\SCam32.exe so it is highlighted.
26.Press the Delete key on the keyboard to remove the entry.
27.Close the Registry Editor by clicking the X in the top right
corner.
Scan your computer for infected files again.
ANTI-VIRUS OPTIONS
McAfee.com Online Services
Not a subscriber to McAfee.com VirusScan Online or Clinic?
Click on the McAfee banner below:
We thank you ALL for your kind votes which made this site FIRST in two categories.
A 10 vote = Very Good
A 1 vote = Waste of cyber Space !
ALL those sending emails of thanks are kindly requested to indicate whether these are for publication.
IMPORTANT NOTICE:
ALL those who are receiving this advise
and in the "name" field they find 'FAILED' and a 6 or 8 digit figure
after it, should be advised that at least once, emails to that address
have been received back by us. As the list of subscribers now exceeds 100,000, and since this
is a free service, we kindly urge you to become a registered
subscriber to this service and ensure delivery by subscribing under
a reliable email address. WE REGRET THAT AS AFTER THIS ISSUE,
ALL ADDRESSES THAT ARE NOT DELIVERABLE WILL BE REMOVED FROM THE LIST.
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty
of any kind. In no event shall we be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits
or special damages.
PLEASE ADVISE ALL YOUR FRIENDS ON YOUR LIST
PLEASE ALSO NOTE THE FOLLOWING:
1) You are currently SUBSCRIBED to our mailing list
2) If you are receiving more than one copy of this warning please click here
3) If you DO NOT wish to receive anymore of these alerts, please click here
4) YOUR friends are also welcome to be on the VIRUS ALERT but an email has to be
sent to the Webmaster by themselves so that a record of all requests can be kept in case
somebody cries "SPAM" ! Simply click here
and send the email as it appears.
5)THIS IS A FREE SERVICE RUN IN THE PUBLIC INTEREST BY
6) ALSO PLEASE BE ADVISED THAT YOUR EMAIL WILL
NEVER BE SOLD, EXCHANGED OR IN ANYWAY WHATSOEVER DISCLOSED TO ANYBODY ELSE.
******
Fabian Brincat
Webmaster
Fabian Enterprises Ltd.
SEE PREVIOUS VIRUS ALERT
RETURN TO VIRUS ALERT MAIN INDEX
©ALL MATERIAL IS PROTECTED BY COPYRIGHT LAWS AND MAY NOT BE REPRODUCED IN ANY FORM WHATSOEVER WITHOUT THE PRIOR WRITTEN CONSENT OF THE WEBMASTER.
200701/110904/061004
