H
hlywud
Guest
VIRUS ALERT: W32.SirCam.worm
A new virus was discovered last week that has the ability to fill up a users' hard drive, delete files, distribute private documents, hide itself from typical virus scanners, and propagate itself across the
Internet using the Microsoft Outlook address book. The Symantec Anti-Virus Research Center (SARC) has ranked the threat of the virus,entitled SirCam, a four, with five being the most serious. The McAfee Anti-Virus Emergency Response Team (AVERT), as well as the Trend
Micro Virus Information Center, ranks the virus as a medium threat. The virus usually comes as an e-mail attachment with the file name
"SirCam32.exe."
There are several payloads of the virus that randomly occur. One user could actually be a carrier of the virus but never be infected. When you run it, it does three things. The first thing it can do is fill up
all the remaining space on the hard disk by adding text to a system file in the Recycle Bin (c:\recycled\sircam.sys) at each startup. The next
thing it can do is possibly trigger the machine to delete all the files on the hard drive. Finally, it will export a random document form the hard drive and append it to the body of the virus when it propagates
itself to other users. This could present a privacy breach if the document is confidential. Another unusual characteristic of the virus is that
when it uploads a file from the hard drive to send to other users, it will append the file name with either .exe, .bat, .tif., .com, or .link.
If it uses .link or .bat, the virus will essentially "neuter" itself,ceasing to operate. The virus stores itself in the Microsoft Windows Recycle Bin, where most virus scanners don't scan for viruses.
The SirCam worm arrives as an email message the
subject of which will be random and will be the same as the file name of the email attachment. The attachment is a file taken from the sender's
computer and will have the extension .bat, .com, .lnk or .pif added to it.
The message body will be semi-random, but will always contain one of the following two lines (either English or Spanish) as the first and last sentences of the message.
English Version:
First line: Hi! How are you?
Last line: See you later. Thanks
Spanish Version:
First line: Hola como estas ?
Last line: Nos vemos pronto, gracias.
Between these two sentences, some of the following text may appear:
English Version:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I sendo you
This is the file with the information that you ask for
Spanish Version:
Te mando este archivo para que me des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es el archivo con la informaci=n que me pediste
When run, the worm it creates copies of itself as %TEMP%\ and C:\Recycled\ which contain the attached document.
This document is then run using the program registered to handle the specific file type. For example, if it is saved as a file with the .doc extension, it will run using Microsoft Word or Wordpad. A file with
the .xls extension will open in Excel, and one with the .zip extension will open in your default zip program, such as WinZip.
Full details and a technical write up and removal instructions can be found through the following link.
http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html
All users should ensure
their workstations a free of this virus and that
their Virus definitions are up-to-date so they are protected fromall known viruses. The latest virus definitions can found through the link above. Users should also exercise care and discretion in opening
strange or unusual messages or attachments in notes received from unknown
senders.
A new virus was discovered last week that has the ability to fill up a users' hard drive, delete files, distribute private documents, hide itself from typical virus scanners, and propagate itself across the
Internet using the Microsoft Outlook address book. The Symantec Anti-Virus Research Center (SARC) has ranked the threat of the virus,entitled SirCam, a four, with five being the most serious. The McAfee Anti-Virus Emergency Response Team (AVERT), as well as the Trend
Micro Virus Information Center, ranks the virus as a medium threat. The virus usually comes as an e-mail attachment with the file name
"SirCam32.exe."
There are several payloads of the virus that randomly occur. One user could actually be a carrier of the virus but never be infected. When you run it, it does three things. The first thing it can do is fill up
all the remaining space on the hard disk by adding text to a system file in the Recycle Bin (c:\recycled\sircam.sys) at each startup. The next
thing it can do is possibly trigger the machine to delete all the files on the hard drive. Finally, it will export a random document form the hard drive and append it to the body of the virus when it propagates
itself to other users. This could present a privacy breach if the document is confidential. Another unusual characteristic of the virus is that
when it uploads a file from the hard drive to send to other users, it will append the file name with either .exe, .bat, .tif., .com, or .link.
If it uses .link or .bat, the virus will essentially "neuter" itself,ceasing to operate. The virus stores itself in the Microsoft Windows Recycle Bin, where most virus scanners don't scan for viruses.
The SirCam worm arrives as an email message the
subject of which will be random and will be the same as the file name of the email attachment. The attachment is a file taken from the sender's
computer and will have the extension .bat, .com, .lnk or .pif added to it.
The message body will be semi-random, but will always contain one of the following two lines (either English or Spanish) as the first and last sentences of the message.
English Version:
First line: Hi! How are you?
Last line: See you later. Thanks
Spanish Version:
First line: Hola como estas ?
Last line: Nos vemos pronto, gracias.
Between these two sentences, some of the following text may appear:
English Version:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I sendo you
This is the file with the information that you ask for
Spanish Version:
Te mando este archivo para que me des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es el archivo con la informaci=n que me pediste
When run, the worm it creates copies of itself as %TEMP%\ and C:\Recycled\ which contain the attached document.
This document is then run using the program registered to handle the specific file type. For example, if it is saved as a file with the .doc extension, it will run using Microsoft Word or Wordpad. A file with
the .xls extension will open in Excel, and one with the .zip extension will open in your default zip program, such as WinZip.
Full details and a technical write up and removal instructions can be found through the following link.
http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html
All users should ensure
their workstations a free of this virus and that
their Virus definitions are up-to-date so they are protected fromall known viruses. The latest virus definitions can found through the link above. Users should also exercise care and discretion in opening
strange or unusual messages or attachments in notes received from unknown
senders.