LHRIC logo TECHNICAL SERVICES
LHRIC logo home | search | contact | Virus Central  
LHRIC logo

Providing timely, reliable & cost-effective technical support 

Virus Central - Detailed

Virus Information

Update: New information about SirCam virus

Name:

W32/SirCam@MM

Aliases:

 

Type:

Virus

Discovery Date:

07/17/2001

Detection:

 

Virus Description:

This virus sends itself, as an executable, to email recipients found in the Windows Address Book and addresses found in cached files. This executable is appended with a document if one is found in MY DOCUMENTS folder. The mailing routine talks SMTP to a server and will use server address found in infected executables. This address is presumably captured from the victim's machine which sent the virus to you. If that server is not in operation, or if relaying is not permitted, the virus attempts to use each of these three servers, stopping when the first successful send occurs.

doubleclick.com.mx
enlace.net
goeke.net

 

E-mail Subject:

[filename (random)]

E-mail Body:

Hi! How are you?
I send you this file in order to have your advice
or I hope you can help me with this file that I send
or I hope you like the file that I sendo you
or This is the file with the information that you ask for

See you later. Thanks

the same message may be received in Spanish

Hola como estas ?
Te mando este archivo para que me des tu punto de vista
or Espero me puedas ayudar con el archivo que te mando
or Espero te guste este archivo que te mando
or Este es el archivo con la informaci—n que me pediste
Nos vemos pronto, gracias.

Attachment:

A file from the sender's computer with the extension .bat, .com, .lnk, or .pif added to it.

Virus Effects:

When run, the document will be saved to the C:\RECYCLED folder and then opened while the virus copies itself to C:\RECYCLED\SirC32.exe folder to conceal its presence and creates a registry key value to load itself whenever .EXE files are executed.

The virus searches for .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG, .PS, and .ZIP files in the MY DOCUMENTS folder and attempts to send copies of these documents to email recipients found in the Windows Address Book and addresses found in cached files.

Removal Instructions:

Rename the Windows Registry Editor
  1. Click on the Start button.
  2. Highlight Run.
  3. Type in COMMAND and hit the OK button. A window will then appear with a black background. The last line of text in the window will look something like C:\Windows> (followed by a blinking cursor).
  4. Type in the following at the prompt: COPY REGEDIT.EXE REGEDIT.BAT EXIT The window will then disappear.
Boot into Safe Mode
  1. Shut the computer down so the power is off.
  2. Wait 20 seconds or so.
  3. Turn the computer on and immediately begin pressing the F8 key on the keyboard, once every second repeatedly. Do this until the Windows Startup Menu appears. If you get a keyboard error, press F1 to resume and then continue pressing the F8 key once every second.
  4. Select Safe Mode from the Windows Startup Menu, then press the Enter key on the keyboard.
  5. Windows will then boot into Safe Mode.
    NOTE: This may take longer than a normal boot.
  6. At the end of the boot process a dialog box will appear informing you that Windows is in Safe Mode. Click OK on this dialog box.
  7. Windows is now in Safe Mode.
Backup the Registry
  1. Click on the Start button.
  2. Click on Run.
  3. Type REGEDIT.BAT in the Open field.
  4. Click the OK button. The Registry Editor window will appear.
  5. Click on the Registry pull-down menu.
  6. Click on Export Registry File.
  7. In the File Name field type "backup" (without the quotation marks).
  8. In the Save In field be sure that the desktop is selected (if it is not, click on the pull down menu and select "Desktop").
  9. Select "All" in the Export Range group box.
  10. Click on the Save button. The registry will then be saved.
  11. Click the X in the top right corner to close the Registry Editor.
NOTE: You now have a backup of your Registry saved as "backup" on your desktop. If you need to restore the Registry you can double-click on the "backup" file located on the desktop. Once these instructions are complete and everything is running properly be sure to delete this backup file by right-clicking on it then left-clicking on Delete from the pop-up menu that appears. This will ensure that the old registry is not accidentally restored once the Trojan has been removed.
Remove the Worm Entries from the Registry
As you go through this process, you will be asked to confirm each change. Make sure that the change is correct, then confirm each change.
  1. Click the Start button.
  2. Click on Run.
  3. Type in REGEDIT.BAT in the Open field.
  4. Click the OK button. The Registry Editor window will appear.
  5. Click on the plus sign next to HKEY_CLASSES_ROOT.
  6. Click on the plus sign next to exefile.
  7. Click on the plus sign next to shell.
  8. Click on the plus sign next to open.
  9. Single-click on command so it is highlighted.
  10. On the right side of the screen is a Name column and a Data column. Locate and right-click on (Default) under the Name column.
  11. A pop-up menu will appear. Left-click on Modify.
  12. The Edit String dialog box will appear with the value highlighted. Delete all text in the Value and type the following characters (WITHOUT THE BRACKETS): ["%1" %*] If you are unsure of how the characters should be, the following is a spelled out version of the correct characters: quote, percentage, one, quote, space, percentage, asterisk.
  13. Click the OK button to close the Edit String dialog box.
  14. On the left side of the screen click on the minus sign next to open.
  15. Click on the minus sign next to shell.
  16. Click on the minus sign next to exefile.
  17. click on the minus sign next to HKEY_CLASSES_ROOT.
  18. Click on the plus sign next to HKEY_LOCAL_MACHINE.
  19. Click on the plus sign next to SOFTWARE.
  20. Single click on the SIRCAM folder so it is highlighted, then hit delete.
  21. Click the plus sign next to Microsoft.
  22. Click the plus sign next to Windows.
  23. Click the plus sign next to CurrentVersion.
  24. Single click on the RunServices Folder so it is highlighted.
  25. On the right side of the screen is a Name column and a Data column. Under the Name column locate and single-click on Driver32 = C:\WINDOWS\SYSTEM\SCam32.exe so it is highlighted.
  26. Press the Delete key on the keyboard to remove the entry.
  27. Close the Registry Editor by clicking the X in the top right corner.
Remove reference in Autoexec.bat file:
  1. Click Start, and click Run.
  2. Type the following, and then click OK.
    edit c:\autoexec.bat
    The MS-DOS Editor opens.
  3. Remove the line "@win \recycled\sirc32.exe" if it is present.
  4. Click File and then click Save.
  5. Exit the MS-DOS Editor
Scan your computer for infected files again.

 

 

Site Last Updated: January 8, 2002
© Copyright 2001,2002 Lower Hudson Regional Information Center (LHRIC).