Discovered on July 17, 2001, the SirCam worm continues to maintain a steady presence. "While some viruses cause a fright then fade away, Sircam continues to haunt users. Months after its release, it's still infecting a significant number of users," said Graham Cluley, senior technology consultant at Sophos Anti-Virus. "It's mind-boggling that people are still getting caught by Sircam. Anti-virus software protects against this worm, and simple, safe computing should negate the threat."
Sircam's infection routine can not only compromise confidential material on your system, improper removal can cause an inability to launch any .EXE (including program files) on your system. The worm has a malicious payload (action) on the infected system which thankfully appears to not work properly. The worm intends (but down not appear to do) to deliver this payload on October 16th. In one out of twenty cases, Sircam deletes the contents of the local drive on which Windows is installed. In one out of fifty cases, on any day of the year, the SirCam virus will create a file in the hidden \Recycled\ folder named sircam.sys and repeatedly append test strings in that file until the hard drive space is filled to capacity.
According to F-Secure, the SirCam worm spreads via email with one of the following message bodies:
'Hi! How are you?'
'I send you this file in order to have your advice'
(or) 'I hope you can help me with this file that I send'
(or) 'I hope you like the file that I sendo you'
(or) 'This is the file with the information that you ask for'
'See you later. Thanks'
A Spanish version of the email has also been discovered with the following message bodies:
'Hola como estas ?'
'Te mando este archivo para que me des tu punto de vista'
(or) 'Espero me puedas ayudar con el archivo que te mando'
(or) 'Espero te guste este archivo que te mando'
(or) 'Este es el archivo con la informaciĆ³n que me pediste'
'Nos vemos pronto, gracias.'
The SirCam worm uses files found in Windows' My Documents folder to use as a disguise for its infecting routine. This can lead to the compromise of confidential data, as the selected file(s) will be mass-mailed to others. When the attachment is executed, the worm displays the chosen file in an attempt to trick the user into believing it is a legitimate attachment. Behind the scenes, however, the worm is busy compiling a catalog of that user's My Documents folder and sending itself out to even greater numbers of recipients. Because the worm uses any cached email address found on the system, MessageLabs warns that journalists and others who have email addresses embedded in web pages may be particularly vulnerable to receiving the attachments.
SirCam also spreads via the network, using Windows network shares to spread. F-Secure analysts have determined it first enumerates all the network shares available to the infected computer. If there there is a writeable \recycled\ folder on a share, a copy of the worm is put to \\[share]\recycled\' folder as 'SirCam32.exe' file. The \\[share]\autexec.bat file is appended with an extra line: '@win \recycled\SirC32.exe', so the next time an infected computer is rebooted the worm will be started. The worm also copies the 'rundll32.exe' file to 'run32.exe' and then copies itself as 'rundll32.exe' file to the Windows directory of a remote system.
Next page > Removing the worm > Page 1, 2, 3