SCN: FYI Sircam Worm in innocuous emails: BEWARE (fwd)

Sharma sharma at aa.net
Thu Jul 26 14:53:53 PDT 2001 


---------- Forwarded message ----------
Date: Thu, 26 Jul 2001 13:24:53 EDT
From: ChipnClara at aol.com

Folks:

I've now received quite a few messages with the Sircam worm, an example is 
below. These emails are coming from people I don't know, so I have no idea 
how they got my address. Below that is the information from Data Fellows 
index (<A 
HREF="http://www.europe.datafellows.com/v-descs/sircam.shtml">F-Secure 
Computer Virus Information Pages: Sircam</A>).

Do be careful. This is why I never download any files.

Clara

Subj:    nothing
Date:   01-07-25 18:48:40 EDT
From:   lkooley at ptd.net (Lori Cooley)
To: ChipnClara at aol.com

File:  nothing.zip.com (444107 bytes)
DL Time (28800 bps): < 4 minutes

Hi! How are you?
 
I send you this file in order to have your advice
 
See you later. Thanks [END]

F-Secure Virus Descriptions
NAME: Sircam 
ALIAS: I-Worm.Sircam, W32.Sircam, W32/SircCam 

Sircam is a mass mailing e-mail worm with the ability of spreading through 
Windows Network shares. The worm's body is 137216 bytes long but when it 
comes as an e-mail attachment, it larger in size due to a document that is 
attached to its body. 

When the worm runs on a clean system it copies itself to different locations 
with different names: 

1. The worm copies itself as 'SirC32.exe' to \Recycled\ folder. The default 
EXE file startup Registry key: 

[HKCR\exefile\shell\open\command]
is changed to '""[windows_drive]\recycled\SirC32.exe" "%1" %*"'. This is done 
to activate a worm's copy every time an EXE file is started. 

2. The worm copies itself as 'SCam32.exe' in the System directory. The worm 
then creates a startup key for this file in the Registry to be started during 
all Windows sessions: 

[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
 "Driver32" = "<windows_system_dir_name>\SCam32.exe"
3. The worm copies itself as 'rundll32.exe' file to Windows directory. The 
original 'rundll32.exe' file is renamed to 'run32.exe'. This copy exists only 
if a computer got infected through a network share (see below). 

4. Sometimes (once out of 33 cases) the worm places its copy to Windows 
directory with the 'ScMx32.exe' name. In this case another copy of the worm 
is created in the current user's personal startup folder as 'Microsoft 
Internet Office.exe'. This copy will be started when a user who got infected 
logs into a system. 

When a Sircam-infected e-mail attachment is opened it shows the document it 
picked up from the sender machine's. The file is displayed with the 
appropiate program according to it's extension: 

 '.DOC': WinWord.exe or WordPad.exe
 '.XLS': Excel.exe
 '.ZIP': winzip.exe
This effectively disguises the worm's activity. While the user is checking 
the document the system get infected (as described above). 

The worm uses Windows Address Book to collect e-mail addresses ('*.wab 
files). The worm also tries to look for e-mail addresses in \Temporary 
Internet Files\ folder ('sho*', 'get*', 'hot*', '*.html'). If a user has a 
working e-mail account the worm reads the its setting. Otherwise the 
'[username]@prodigy.mx.net' is used as the default sender's address and 
'prodigy.net.mx' is used for the SMTP server name. The worm has its own SMTP 
engine and it sends out messages using this engine. 

The worm collects a list of files with certain extensions ('.DOC', '.XLS', 
'.ZIP') into fake DLL files named 'sc*.dll'. The worm then sends itself out 
with one of the document files it found in a users's 'My Documents' folder. 

Messages sent by Sircam look like this: 

 From: [user at address]
 To: [user at address]
 Subject: [document name without extension]

 Hi! How are you?

 'I send you this file in order to have your advice'
or 

 'I hope you can help me with this file that I send'
or 

 'I hope you like the file that I sendo you'
or 

 'This is the file with the information that you ask for'


 See you later. Thanks
If a system's language is set to Spanish the worm sends messages in Spanish: 

 Hola como estas ?


 'Te mando este archivo para que me des tu punto de vista'
or 

 'Espero me puedas ayudar con el archivo que te mando'
or 

 'Espero te guste este archivo que te mando'
or 

 'Este es el archivo con la informaci n que me pediste'


 Nos vemos pronto, gracias.
The attached file has the name of a picked document file with a double 
extension like '.DOC.EXE', '.XLS.PIF'. The '.COM', '.BAT', '.PIF' and '.LNK' 
are used as second (executable) extensions. Since the worm can pick any of 
the user's personal document it migh send out confidential information. 

This worm also uses Windows network shares to spread. When doing this, it 
first enumerates all the network shares available to the infected computer. 
If there there is a writeable \recycled\ folder on a share, a copy of the 
worm is put to \\[share]\recycled\' folder as 'SirCam32.exe' file. The 
\\[share]\autexec.bat file is appended with an extra line: '@win 
\recycled\SirC32.exe', so next time when an infected computer is rebooted the 
worm will be started. The worm also copies itself as 'rundll32.exe' file to 
Windows directory of a remote system. The original 'rundll32.exe' file is 
copied to 'run32.exe' before that. 

The worm has two payloads. On 16th of October in one case out of 20 it 
deletes everything from the drive where Windows is installed. On any other 
day in one of 50 cases it fills up the drive where Windows is installed. In 
this case it creates a file called '<windows drive>:\recycled\sircam.sys' and 
continuosly fills it with one of below given text strings until the hard 
drive space is consumed. 

 '[SirCam_2rP_Ein_NoC_Rma_CuiTzeO_MicH_MeX]'
or 

 '[SirCam Version 1.0 Copyright  2001 2rP  Made in / Hecho en
  - Cuitzeo, Michoacan Mexico]'
Removal instructions: 

If your system is infected with the worm first please download this REG file 
and install it (by double-clicking on it): 

ftp://ftp.europe.f-secure.com/anti-virus/tools/sirc_dis.reg 

This will remove the worm's reference from the EXE file startup key and the 
main worm's startup key in the Registry. 

Warning! The system might become unusable if the worm's file is deleted 
without modifying the EXE file startup key first. 

After that the system can be safely disinfected with FSAV. If for some reason 
the worm's file can't be deleted from Windows (locked file), then you have to 
exit to pure DOS and delete the worm's file manually or use a DOS-based 
scanner (F-Prot for DOS for example). All worm files has to be deleted or 
renamed. 

If a workstation was infected trough a network share '\windows\run32.exe' has 
to be renamed back to '\windows\rundll32.exe' after disinfection. 

The extra line in 'autoexec.bat' file that starts the worm from \recycled\ 
folder should be removed also. 

Network infection prevention: 

If a network is infected and it is not possible to take it down to disinfect 
all workstations, the following method can prevent the worm from spreading to 
clean workstations: 

In the \Recycled\ folder of a drive where Windows is installed, it is needed 
to create a dummy file with SIRC32.EXE name and read-only attribute. 

[Analysis: Gergely Erdelyi, Alexey Podrezov; F-Secure Corp.; July 18-23, 2001]

* * * * * * * * * * * * * *  From the Listowner  * * * * * * * * * * * *
.	To unsubscribe from this list, send a message to:
majordomo at scn.org		In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * *     http://www.scn.org/volunteers/scn-l/     * * * * * * *

More information about the scn mailing list