Automated PC Solutions
VACM - Virus Alerts for the Common Man
Automated PC Solutions
VACM - Virus Alerts for the Common Man
| RealAudio intro... |
We have started getting reports from our subscribers that the
SirCam email virus is making the rounds. This is a bad one!
VERY HIGH RISK...
The SirCam virus is now the #1 virus on many of the antivirus
makers lists. It is a very devious and quite dangerous email
virus.
The Bottom Line
----------------------------
SirCam will typicaly come from someone you know since it
emails itself to everyone in your address book in order to
spread itself.
It arrives with a random subject and a random file attachment.
If you run the attachment, you get infected. From then on,
SirCam searches your system for a randomly selected file
in "My Documents" which it then emails to everyone in your
address book. By attaching randomly chosen documents to
itself, the worm could share confidential information with
others.
There is also a 1 in 20 chance that it will
try to delete all your files.
SirCam is also "network aware", which means that if your
PC is on a network and you open the SirCam attachment, you will
not only infect your own PC, but any other PCs on your network
that SirCam can write to! This virus works with any email
program... not just Outlook (as so many viruses have done).
If You Actually Got Infected By SIRCAM...
------------------------------------------------
There are removal instructions at the end of this email.
However, there is also a SirCam removal tool at the Symantec
web site. Unfortunately, their servers are not keeping
up with the demand very well and you will probably have
a hard time getting to the page with the removal tool on it.
The Symantec tool is here:
http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.removal.tool.html
If you have trouble downloading from Symantec, we have a
copy of the file on our FTP server, here:
fixsirc.com
What You Should Do...
---------------------------
Remove the virus with the removal tool or manually remove
it.
Update your antivirus software and do a full scan or your
system.
You can ignore the rest of this message unless you want a little
more detail on SirCam...
Additional Info...
---------------------------
Robert Vamosi reports that the body of
the e-mail will always begin with
"Hi! How are you?" and end with "See you later. Thanks."
In between these opening and closing lines will be one of the following:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I send you
This is the file with the information that you ask for
If you double-click on the attached file, SirCam will copy itself
to the Windows System directory with the name scam32.exe.
The worm changes the Windows registry key so that it always
launches upon system startup. The worm will check to see if
there are any open shares on a network and if so, SirCam
will copy rundll32.exe to the system, renaming the
existing rundll32.exe to run32.exe.
SirCam contains its own e-mail capabilities using SMTP (similar
to a feature found in the Magistr virus).
SirCam also spreads among open file shares on a networked
system (in other words, if you can access other directories
on other machines, that's an open file share). Antivirus
vendors are suggesting that many more people will be exposed
to SirCam via open networks than through e-mail. It is
possible that individual computers on a shared network could
become infected multiple times until all instances of the
worm are removed from the shared network.
---------------------------------------------
+ Remove It Yourself - Instructions
---------------------------------------------
McAfee offers these instructions for manual removal of SirCam.
Note that they are quite complicated for all but an experienced
computer tech person. If you can get the removal tool, that is
much preferred. If not, here you go...
Rename the Windows Registry Editor
****************************************
Click on the Start button.
Highlight Run.
Type in COMMAND and hit the OK button. A window will then appear
with a black background. The last line of text in the window
will look something like C:\Windows> (followed by a blinking cursor).
Type in the following at the prompt:
COPY REGEDIT.EXE REGEDIT.BAT EXIT The window will then disappear.
Boot into Safe Mode
****************************************
Shut the computer down so the power is off.
Wait 20 seconds or so.
Turn the computer on and immediately begin pressing the F8 key
on the keyboard, once every second repeatedly. Do this until
the Windows Startup Menu appears. If you get a keyboard
error, press F1 to resume and then continue pressing the
F8 key once every second.
Select Safe Mode from the Windows Startup Menu, then press
the Enter key on the keyboard.
Windows will then boot into Safe Mode.
NOTE: This may take longer than a normal boot.
At the end of the boot process a dialog box will appear
informing you that Windows is in Safe Mode. Click OK on this dialog box.
Windows is now in Safe Mode.
Backup the Registry
****************************************
Click on the Start button.
Click on Run.
Type REGEDIT.BAT in the Open field.
Click the OK button. The Registry Editor window will appear.
Click on the Registry pull-down menu.
Click on Export Registry File.
In the File Name field type "backup" (without the
quotation marks).
In the Save In field be sure that the desktop is selected
(if it is not, click on the pull down menu and select "Desktop").
Select "All" in the Export Range group box.
Click on the Save button. The registry will then be saved.
Click the X in the top right corner to close the Registry Editor.
NOTE: You now have a backup of your Registry saved as "backup"
on your desktop. If you need to restore the Registry you can
double-click on the "backup" file located on the desktop. Once
these instructions are complete and everything is running
properly be sure to delete this backup file by right-clicking
on it then left-clicking on Delete from the pop-up menu that
appears. This will ensure that the old registry is not accidentally
restored once the Trojan has been removed.
Remove the Worm Entries from the Registry
********************************************
As you go through this process, you will be asked to confirm
each change. Make sure that the change is correct, then confirm each change.
Click the Start button.
Click on Run.
Type in REGEDIT.BAT in the Open field.
Click the OK button. The Registry Editor window will appear.
Click on the plus sign next to HKEY_CLASSES_ROOT.
Click on the plus sign next to exefile.
Click on the plus sign next to shell.
Click on the plus sign next to open.
Single-click on command so it is highlighted.
On the right side of the screen is a Name column and a Data
column. Locate and right-click on (Default) under the Name column.
A pop-up menu will appear. Left-click on Modify.
The Edit String dialog box will appear with the value
highlighted. Delete all text in the Value and type the
following characters (WITHOUT THE BRACKETS): ["%1" %*]
If you are unsure of how the characters should be, the
following is a spelled out version of the correct
characters: quote, percentage, one, quote, space, percentage, asterisk.
Click the OK button to close the Edit String dialog box.
On the left side of the screen click on the minus sign next to open.
Click on the minus sign next to shell.
Click on the minus sign next to exefile.
click on the minus sign next to HKEY_CLASSES_ROOT.
Click on the plus sign next to HKEY_LOCAL_MACHINE.
Click on the plus sign next to SOFTWARE.
Single click on the SIRCAM folder so it is highlighted, then hit delete.
Click the plus sign next to Microsoft.
Click the plus sign next to Windows.
Click the plus sign next to CurrentVersion.
Single click on the RunServices Folder so it is highlighted.
On the right side of the screen is a Name column and a Data
column. Under the Name column locate and single-click on
Driver32 = C:\WINDOWS\SYSTEM\SCam32.exe so it is highlighted.
Press the Delete key on the keyboard to remove the entry.
Close the Registry Editor by clicking the X in the top right corner.
Remove reference in Autoexec.bat file:
Click Start, and click Run.
Type the following, and then click OK.
edit c:\autoexec.bat
The MS-DOS Editor opens.
Remove the line "@win \recycled\sirc32.exe" if it is present.
Click File and then click Save.
Exit the MS-DOS Editor
Scan your computer for infected files again.
****************
The VACM Archive is online here.
Best Regards,
Marc Deschenes, VACM Editor
The VACM Project at
Automated PC Solutions
|
*** Be sure to check out the appendix at the end of this alert
******** APPENDIX - Handy How-To Tips ********** * How To Boot into Safe Mode Shut the computer down so that the power is off.
|
