From the VET Virus definition Encyclopedia
Win32.SirCam.137216
Win32.SirCam.137216 is an e-mail worm which sends itself as well as clean documents from an infected machine. The worm arrives in a message which may be either English or Spanish. The English messages appear like this:
Hi! How are you?
I send you this file in order to have your advice
See you later. Thanks
The middle is chosen from the following list. However, due to a bug in the worm's random number checking, the first line is always used:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I sendo you
This is the file with the information that you ask for
The Spanish message looks like:
Hola como estas ?
Te mando este archivo para que me des tu punto de vista
Nos vemos pronto, gracias.
The middle line is from the following list, but once again only the first line is ever chosen:
Te mando este archivo para que me Des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es El archivo con la información que me pediste
The attachment name is variable, but will have a double extension, for example "SCRIPT.DOC.PIF". The actual extension may be "PIF", "LNK", "BAT", "EXE" or "COM". The subject of the message matches the attachment name, except without the extensions. In the above example the subject would be "SCRIPT".
When run, the worm copies itself to "C
RECYCLED\SirC32.exe" as well as "SCam32.exe" in the Windows System directory. It modifies two registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \RunServices\Driver32="<Windows System>\SCam32.exe"
HKEY_CLASSES_ROOT\exefile\shell\open\command=""C
recycled\S irC32.exe" "%1" %*"
The first key causes the worm to run when Windows starts. The second causes the worm to be run whenever any .EXE program is executed. The worm gets a list of .DOC, .XLS and .ZIP files in the "My Documents" folder. It appends one of these files to the end of itself and saves the result to the Recycled folder, adding the second extension to the filename as listed previously. This file is attached to the emails that the worm sends.
The worm may make several copies of itself with different DOC, XLS or ZIP files attached, depending upon what it finds in the "My Documents" folder. It continually sends these copies out to addresses it finds in the Windows address book and Internet cache files, and may send multiple copies to the same address.
The worm also spreads using Windows shared drives. If it finds a share with a "RECYCLED" directory it copies itself into that directory with the name "SirC32.exe". If it finds an "AUTOEXEC.BAT" file on the share it adds the following line to it:
@win \recycled\SirC32.exe
Finally, it looks for "\windows\rundll32.EXE" on the share and replaces it with the worm, renaming the original to "run32.exe". When the worm is executed from "rundll32.exe" it automatically executes the backup file "run32.exe".
The worm contains two payloads. One deletes all files and subdirectories on the hard drive which Windows is installed on (usually C
. The other writes a file called "SirCam.Sys" to the "Recycled" directory. Neither of these payloads are activated under normal circumstances due to the bug in the worm's random number checking. However, they may be activated if one of the worm's files is renamed or modified before being run.
Detection for this worm has been added to the following virus engine/virus signature combination. Install this update or later to ensure protection:
CA Anti-Virus Product Engine/Signature
InoculateIT 4.x 26.10
InoculateIT 6.0 23.44.10
InoculateIT Personal Edition 5.2/1344
VET 10.3/1344
Once again, looks like taking the trouble to get a good virus detector and installing Zone Alarm can help protect you from others.