BEWARE, YET ANOTHER NASTY VIRUS......
 

Another nasty virus doing the rounds, normally received from someone you know, "SirCam".......

McAfee are posting 'NO new Alerts' for viruses. There is nothing listed remotely similar to the "SirCam" you quote. Probably a hoax - again...........

Norton AntiVirus Web Site
http://www.symantec.com/avcenter/[email protected]

W32.Sircam.Worm@mm
Discovered on: July 17, 2001
Last Updated on: July 19, 2001 at 06:56:06 PM PDT
SARC has upgraded the threat level of W32.Sircam.Worm@mm from 3 to 4, due to its increased rate of submissions.
W32.Sircam.Worm@mm contains its own SMTP engine, and propagates in a manner similar to the W32.Magistr.Worm.
Also Known As: W32/SirCam@mm, Backdoor.SirCam

InFinRetirement:

Don't know where you are looking, but McAfee listed this one on the same date (17 July 2001) as Norton. (Actually, about an hour and a half earlier :) )

See Virus Info


Snooze

That is truly odd, as I only found out about it via an alert email from McAfee???????

I immediately updated my McAfee Activeshield with the patch that was available, just passing on the info to help others, ignore it at your peril, it is NOT a hoax........

Virus Profile

W32/SirCam@MM is a Medium Risk Virus

Virus Name:
W32/SirCam@MM Date Added:
7/17/01 5:20:40 PM


VIRUS FAMILY STATISTICS
Over the Past 30 Days


Virus Name Infected
Files Scanned
Files % Infected
Computers
W32/SirCam@MM 4,929 16,641 0.31


Virus Characteristics:
This mass-mailing virus attempts to send itself and local documents to all users found in the Windows Address Book and email addresses found in temporary Internet cached files (web browser cache).
It may be received in an email message containing the following information:

Subject: [filename (random)]
Body: Hi! How are you?

I send you this file in order to have your advice
or I hope you can help me with this file that I send
or I hope you like the file that I sendo you
or This is the file with the information that you ask for

See you later. Thanks

--- the same message may be received in Spanish ---

Hola como estas ?

Te mando este archivo para que me des tu punto de vista
or Espero me puedas ayudar con el archivo que te mando
or Espero te guste este archivo que te mando
or Este es el archivo con la información que me pediste


Nos vemos pronto, gracias.

--- end message ---

Attached will be a document with a double extension (the filename varies). The first extension will be the file type which was prepended by the virus. When run, the document will be saved to the C:\RECYCLED folder and then opened while the virus copies itself to C:\RECYCLED\SirC32.exe folder to conceal its presence and creates the following registry key value to load itself whenever .EXE files are executed:

HKCR\exefile\shell\open\command
\Default="C:\recycled\SirC32.exe" "%1" %*

As the RECYCLE BIN is often on the exclusion list, check your settings to insure that this directory IS being scanned.

It also copies itself to the WINDOWS SYSTEM directory as SCam32.exe and creates the following registry key value to load itself automatically:

HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Driver32=C:\WINDOWS\SYSTEM\SCam32.exe

A list of .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG, .PS, and .ZIP files in the MY DOCUMENTS folder is saved to the file SCD.DLL (the 2nd character of the name appears to be random) in the SYSTEM directory. Email addresses are gathered from the Windows Address Book and temporary Internet cached pages and saved to the file SCD1.DLL (the 2nd and 3rd character of the name appears to be random) in the SYSTEM directory.

The worm prepends a copy of the files that are named in the SCD.DLL file and attaches this copy to the email messages that it sends via a built in SMTP server, using one of the following extensions: .BAT, .COM, .EXE, .LNK, .PIF. This results in attachment names having double-extensions.

The program creates a registry key to store variables for itself (such as a run count, and SMTP information):
HKLM\Software\Sircam

--------------------------------------------------------------------------------

Thanks Snooze, I obviously didn't press the right buttons! Good! Because I was worried that McA had lost the drop on Norton. ;)

Here at the Towers we've received that virus 27 times in the last 48 hours, originally in Spanish but latterly the English version.

Usual tag onto the address book disemination by the look of it.

Also been receiving one which is just a note apparently regarding human physiology. It is a sentence describing the structure of the arm. We received about 6 of those.

Then again - we do get a lot of mail and perhaps someone just wanted to give us a break from our RSI inducing pounding of the keyboards here at the Towers............

Guys! Guys!
SOS--ASAP--HELP PLEASE ASAP.
I am struck with this crap from last night.
I used the norton anto virus, scanned all files folders, C drive and also used VOPT to do it. All said no viruses found,
But each time my Outlook Express is opened about 50 to 60 emails of Mail Administrator, Mail system Error emails flood in.

This is a copy of one of the SuperUser that was sent in my email.


MAIL DELIVERY STOPPED FOR YOUR MAIL TO [email protected]

Our viruschecker stopped delivery of this message due to:

./Resume2.doc.lnk: Contains a virus

If you feel this is an error contact [email protected]
within seven days and reference message virus20450
This message has also been sent to the recipient.

What am I to do? Please advice ASAP.
Should I download Zone Alarm / How do I get rid of it? I am not very well versed in this, So a step by step guidance will be VERY APPRECIATED

Yup, got it 3 times today and twice on Friday.
Thank you Norton for saving me a lot of grief .....

Look for the words;

Hi! How are you?

I send you this file in order to have your advice

See you later. Thanks

BASTARDS! :mad:

I had it too, e.g. I got in from a flight at 1am this morning and it looks like the wife had earlier decided to read two new emails sent to me - one started with the ubiquitous "Hi there,.... " and the other with "I send you this file in order to have your advice", and both of which included an attachment.

Now what tipped me off was my ZoneAlarm firewall software asking me if it was ok to allow an application called Sirc32.exe to access the internet ( "Uhm, what the bloody'ell is that ?!" thought I ) - no doubt so that it could make use of its embedded SMTP connectivity to spread itself about to all the contacts in my email list.

Nb. That warning from ZoneAlarm occurred literally as I opened MS-Outlook, as apparently what triggers the virus to run is you running any .exe program.

I then spent the next 10 minutes getting rid of it, via the instructions from Symantec (see below).

Nb. It has not been mentioned above, but the Symantec anti-virus centre reports that there is a 1 in 20 chance that this virus can delete all the files on your C: drive !!!
I'd accordingly highly recommend a good read of: Symantec - Security Updates - W32.Sircam.Worm@mm

Of course, as many of us PPRuNers have each others email address, one can see just why we are all simultaneously experiencing this virus.

Ps. I normally instantly bin all emails with attachments from unknown sources - which is what I subsequently did in this instance - I've also since bollocked the wife about opening emails, and I've also (re)applied passwords to my computer - talk about Pandora's box !

PPs. When / if you get infected by this virus, have a look in C:\Windows\Applog folder for a file with a name like Sirc32 and open it with Notepad / Wordpad and you might be able to see from who's computer the virus was spread to you, or to whom it was trying to send itself next....

I am getting it too but at least i use a Mac and it wont infect my machine but it does cause messages with long attachments to be sent to me.

For heaves sake, why do people still insist on opening emails with attachaments when they don't know who they are from or waht they are.

If you ever receive email from soemone or an address you don't know and it has an attachment then just delete it. Because fo some prople not bothering with anti virus software or just being too naive and opening every attachment we now have a serious problem with emails being sent and attached to them are the virus/worm and also some other documents off their computer.

Check your email software for viruses and DO NOT OPEN attachments from anyone if you don't know what it is ir have not specifically requested it. Better still, get yourselves a Mac and stop getting attacked by these PC viruses. :mad:

I got the Spanish version first. Unfortunately I opened the attachment as I have a Spanish friend who often sends me some cartoons in Spanish. Eventually cleared it with McAfee but to day another two attacks, one in Spanish and one in English. Both of them I blocked sender which deletes the entire message and the attachment without even opening the message.

From the VET Virus definition Encyclopedia
Win32.SirCam.137216
Win32.SirCam.137216 is an e-mail worm which sends itself as well as clean documents from an infected machine. The worm arrives in a message which may be either English or Spanish. The English messages appear like this:

Hi! How are you?
I send you this file in order to have your advice
See you later. Thanks

The middle is chosen from the following list. However, due to a bug in the worm's random number checking, the first line is always used:

I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I sendo you
This is the file with the information that you ask for

The Spanish message looks like:

Hola como estas ?
Te mando este archivo para que me des tu punto de vista
Nos vemos pronto, gracias.

The middle line is from the following list, but once again only the first line is ever chosen:

Te mando este archivo para que me Des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es El archivo con la información que me pediste

The attachment name is variable, but will have a double extension, for example "SCRIPT.DOC.PIF". The actual extension may be "PIF", "LNK", "BAT", "EXE" or "COM". The subject of the message matches the attachment name, except without the extensions. In the above example the subject would be "SCRIPT".

When run, the worm copies itself to "C:\RECYCLED\SirC32.exe" as well as "SCam32.exe" in the Windows System directory. It modifies two registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \RunServices\Driver32="<Windows System>\SCam32.exe"
HKEY_CLASSES_ROOT\exefile\shell\open\command=""C:\recycled\S irC32.exe" "%1" %*"

The first key causes the worm to run when Windows starts. The second causes the worm to be run whenever any .EXE program is executed. The worm gets a list of .DOC, .XLS and .ZIP files in the "My Documents" folder. It appends one of these files to the end of itself and saves the result to the Recycled folder, adding the second extension to the filename as listed previously. This file is attached to the emails that the worm sends.

The worm may make several copies of itself with different DOC, XLS or ZIP files attached, depending upon what it finds in the "My Documents" folder. It continually sends these copies out to addresses it finds in the Windows address book and Internet cache files, and may send multiple copies to the same address.

The worm also spreads using Windows shared drives. If it finds a share with a "RECYCLED" directory it copies itself into that directory with the name "SirC32.exe". If it finds an "AUTOEXEC.BAT" file on the share it adds the following line to it:

@win \recycled\SirC32.exe

Finally, it looks for "\windows\rundll32.EXE" on the share and replaces it with the worm, renaming the original to "run32.exe". When the worm is executed from "rundll32.exe" it automatically executes the backup file "run32.exe".

The worm contains two payloads. One deletes all files and subdirectories on the hard drive which Windows is installed on (usually C :). The other writes a file called "SirCam.Sys" to the "Recycled" directory. Neither of these payloads are activated under normal circumstances due to the bug in the worm's random number checking. However, they may be activated if one of the worm's files is renamed or modified before being run.

Detection for this worm has been added to the following virus engine/virus signature combination. Install this update or later to ensure protection:

CA Anti-Virus Product Engine/Signature
InoculateIT 4.x 26.10
InoculateIT 6.0 23.44.10
InoculateIT Personal Edition 5.2/1344
VET 10.3/1344

Once again, looks like taking the trouble to get a good virus detector and installing Zone Alarm can help protect you from others.

Earlier today I looked at R&N and followed Crash Dive's advice to check files, fortunately none found. I have just read all the above posts and realise that I was sent the virus but because I did not recognise the sender I did not open it but sent it back to the sender using the "Reply" facility and asking the sender to identify themself before I would open their email. Needless to say I haven't had a reply. The email was sent by "newscafe5" and contained the phrases mentioned earlier in this thread. Thanks everyone, I might have been tempted to open it but your information stopped me. It has now been deleted without being opened and a search shows I am still clear. :eek:

Why do I never get any of these exciting new viruses? I want one, so I can be smug that I don't use Outlook and they never work on Netscape!

Send Clowns,

I have not actually received this one yet, I had an alert email from McAfee about it, and immediately updated my McAfee Activeshield, as well as posting this thread.

I have only ever had three viruses come in, all caught by Activeshield BEFORE I opened them.

If you like, next time I get one I will forward it???

:D

Best regards,

"lame"

Yep, its out there .....
We just recieved the following message from Air Vallee (Italy) .....

----- Original Message -----
From: <[email protected]>
To: <[email protected]>
Sent: Tuesday, July 24, 2001 12:00 AM
Subject: DO RES SAMPLE


Hi! How are you?

I send you this file in order to have your advice

See you later. Thanks

........

The attachment contained the virus.

With a previous client (and a message and file name - the same as title - that made logical sense) I nearly ignored the company rule to copy to external disc and scan - fortunately I decided on caution at the last moment. Current edition (updated 20JUL) of Norton Antivirus picked it up but was only able to quarantine (unable to fix).

Phew ... Nearly had to sack myself then !!!!

Bugger, it got me, it came disguised as a request for a student file. Thanks to the good advice on here, I think I've got rid of it by downloading that file thingy. First time around it said I had been unsuccessful in getting rid of the virus, second time around it worked (or said it did)
I dread to think how many of my confidential files have been disseminated. I only realised when one of them bounced back.

So thank you again to all of you clever computer people here on Pprune for showing the way to get rid of it and I promise I won't open strange attachments again!

McAfee updated this virus on July 23 to the HIGHEST level that they give to a virus, be VERY careful........

They estimate that over 3% of ALL computers are now infected.........