W32.Sircam.Worm@mm
Discovered on: July 17, 2001
Last Updated on: July 19, 2001 at 06:56:06 PM PDT Printer-friendly version
SARC has upgraded the threat level of W32.Sircam.Worm@mm from 3 to 4, due to its increased rate of submissions.
W32.Sircam.Worm@mm contains its own SMTP engine, and propagates in a manner similar to the W32.Magistr.Worm.
Also Known As: W32/SirCam@mm, Backdoor.SirCam
Category: Worm Virus Definitions: July 17, 2001 Threat Assessment:
Wild:
Medium Damage:
Medium Distribution:
High
Wild: Number of infections: 50 - 999
Number of sites: 0 - 2
Geographical distribution: Medium
Threat containment: Moderate
Removal: Moderate
Damage: Payload Trigger: October 16th
Payload:
Large scale e-mailing: The worm embed random documents from the infected PC to itself
Deletes files: 1 in 20 chance of deleting all files and directories on C:. Only occurs on systems using D/M/Y as the date format
Degrades performance: 1 in 33 chance of filling all remaining space on the hard disk by adding text to the file c:\recycled\sircam.sys at each startup
Releases confidential info: It will export a random document from the hard drive by appending it to the body of the worm
Distribution: Subject of email: Filename of attachment
Shared drives: searchs for shared drives and copies itself to those it finds Technical description: This worm arrives as an email message with the following content: Subject: The subject of the email will be random, and will be the same as the file name of the attachment in the email.
Message: The message body will be semi-random, but will always contain one of the following two lines (either English or Spanish) as the first and last sentences of the message. Spanish Version:
First line: Hola como estas ?
Last line: Nos vemos pronto, gracias. English Version:
First line: Hi! How are you?
Last line: See you later. Thanks Between these two sentences, some of the following text may appear: Spanish Version:
Te mando este archivo para que me des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es el archivo con la informaci=n que me pediste English Version:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I sendo you
This is the file with the information that you ask for The file names under which this threat have been submitted are: SirC32.exe
Tech Specs and Financials.doc.com When executed, the worm performs the following actions: 1. It creates copies of itself as %TEMP%\ and C:\Recycled\, which contain the attached document. This document is then launched using the program registered to handle the specific file type (For example, if it is saved as a file with the .doc extension, it will run using Microsoft Word or Wordpad. A file with the .xls extension will open in Excel, and one with the .zip extension will open in you default zip program such as WinZip.)NOTE: The term %TEMP% is the Temp variable, and means that the worm will save itself to the Windows Temp folder, whatever its location. The default is C:\Windows\Temp. 2. It copies itself to C:\Recycled\Sirc32.exe and %System%\Scam32.exe. NOTE: %System% is also a variable. The worm will locate the \System folder (by default this is C:\Windows\System) and copy itself to that location. 3. It adds the value Driver32=%System%\scam32.exe to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Windows\CurrentVersion\RunServices 4. It creates the registry key HKEY_LOCAL_MACHINE\Software\SirCam with the following values:
FB1B - Stores the file name of the worm as stored in the Recycled directory.
FB1BA - Stores the SMTP IP address.
FB1BB - Stores the email address of the sender.
FC0 - Stores the number of times the worm has executed.
FC1 - Stores what appears to be the version number of the worm.
FD1 - Stores the file name of worm that has been executed, without the suffix. 5. The (Default) value of the registry key HKEY_CLASSES_ROOT\exefile\shell\open\command is set to C:\recycled\sirc32.exe "%1" %*" This enables the worm to execute itself any time that an .exe file is run. 6. The worm is network aware, and it will enumerate the network resources to infect shared systems. If any are found, it will do the following:
Attempt to copy itself to \Recycled\Sirc32.exe
Add the line "@win \recycled\sirc32.exe" to the file \Autoexec.bat
Copy \Windows\Rundll32.exe to \Windows\Run32.exe
Replace \Windows\rundll32.exe with C:\Recycled\Sirc32.exe7. There is a 1 in 33 chance that the following actions will occur:
The worm copies itself from C:\Recycled\Sirc32.exe to %Windows%\Scmx32.exe
The worm copies itself as "Microsoft Internet Office.exe" to the folder referred to by the registry key HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Shell Folders\Startup 8. If this first payload activates, the file C:\recycled\Sircam.sys is created and filled with text until there is no remaining disk space. The text is one of two strings:
[SirCam_2rp_Ein_NoC_Rma_CuiTzeO_MicH_MeX]
or
[SirCam Version 1.0 Copyright ¬ 2000 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico] 9. There is a 1 in 20 chance that on October 16th of any year, the worm will recursively delete all files and folders on the C drive: This payload functions only on computers which use the date format D/M/Y (as opposed to M/D/Y or similar formats). 10. The worm contains its own SMTP server which is used for the email routine. It obtains email addresses through two different methods:
It searches the folder that is referred to by the registry key HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Shell Folders\Startup\Cache for sho*., get*., hot*., *.htm files, and copies email addresses from there into the file %Windows%\sc??.dll (where ? is a random letter and number). It searches the entire drive for *.wab (all Windows Address Books) and copies addresses from there. 11. It searches the folders referred to by the registry keys HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Shell Folders\Startup\Personal and HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Shell Folders\Startup\Desktop for files of type .doc, .xls, .zip, and .exe. If it finds a match, the corresponding file will be appended to the worm's original executable and this new file will be sent as the email attachment. 12. After 8000 executions, the worm will stop running. Removal instructions: To remove this worm, you must: Delete any files detected as W32.Sircam.Worm@mm.
Empty the Recycle bin to delete Sircam.sys (if it exists).
Remove the entry that it made to the Autoexec.bat file
Revert the change that it made to the registry key HKEY_CLASSES_ROOT\exefile\shell\open\command See the sections that follow for detailed instructions. NOTE: If you are on a network, or have a full time connection to the Internet, disconnect the computer from the network and the Internet. Follow the removal procedure on all computers, including the server. Disable or password protect file sharing before reconnecting computers to the network or to the internet.
To remove the worm:
1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
3. Delete any files detected as W32.Sircam.Worm@mm.]
To empty the Recycle Bin:
Right-click on the Recycle Bin and
Yo' Friends,
'92TT Stage III½ (RC 555s)
Hi-Flow intake; 3" B&B cat-back w/dual 4.5" tips; JWT ECU;
ICQ 8524599
Mail me!Jim's Database of Z32 turbocharger upgrades |
