Virus Alert! W32/Sircam spreading fast! (7/22/01)

Question

Virus Alert! W32/Sircam spreading fast! (7/22/01)

Answer

This question was answered on July 22, 2001. Much of the information contained herein may have changed since posting.

A virus/worm program identified as the W32/Sircam-A, W32.Sircam.Worm@mm, W32/SirCam@mm or Backdoor.SirCam on July 18th has apparently been spreading in great numbers in the last couple of days.

We have received confirmation of infected messages being received from multiple sources including the mail systems of both AnalogX.com and WebAttack.com.

The worm spreads via email and is a network-aware worm using open network shares, which could account for its quick spread. The worm arrives in an email with a random subject and body text. The attached filename is also randomly chosen, but it has a double extension (for instance, .doc.com or .mpg.pif).

When a recipient opens this attachment, his system gets infected and then the included document is displayed. This way the worm's activity is disguised. Messages sent by the worm look like this:

Subject: Document file name (without extension)

From: [user_of_infected_machine@prodigy.net.mx]

To: [random@email.from.address.book]

The messages can change, but they always have the following opening:

Hi! How are you?

and the following closing:

See you later! Thanks

According to Virus.com, if the attachment is opened, the worm copies itself into the Windows System directory with the filename scam32.exe. The worm also copies itself as a file called sirc32.exe to the Recycled files directory with its file attributes set to hidden. The worm changes the registry key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\Driver32

so that it runs on Windows startup. The registry key:

HKLM\SOFTWARE\Classes\exefile\shell\open\command

is also changed so that the worm runs before any other executable file is opened. If the worm finds any open network share, it will attempt to copy itself into the Windows directory on the machine with an open share, with the filename rundll32.exe. The original rundll32.exe file is renamed to run32.exe. If this is successful, the worm changes the file autoexec.bat so that it includes a command to run the worm file previously dropped to the Windows directory.

The worm contains its own SMTP routine, which is used to send email messages to email addresses found in the Windows address book and the temporary internet folder, where cached internet files are kept.

This worm is also spreading via a Spanish version. If the default language is Spanish the first line of the message will be

"Holla como estas ?"

and the last one will be

"Nos vemos pronto, gracias.".

Anyone that has been infected by this worm is in danger of its additional payload, which is on 16 October there is a 1 in 20 chance that the worm will attempt to delete all files from the hard drive.

All major anti-virus manufacturers have posted updates to protect against this worm, so please update you anti-virus program if you have not done so in the last week!

A very specific technical explanation and removal instructions have been posted at the <a href="http://www.sarc.com/avcenter/venc/data/w32.sircam.worm@mm.html" target="_blank"><font color="#003399">SARC website</font></a>.

For our previously posted information on e-mail virus safety, go to:

<a href="http://computerproblems.com/allcolumns.cfm?columnID=41" target="_blank"><font color="#003399">>http://computerproblems.com/allcolumns.cfm?columnID=41</b></font></a>.

Author

Posted by Ken of Data Doctors on July 22, 2001