WIN32/SIRCAM
Win32/Sircam is a dangerous worm written in Delphi. The length of the worm is close to 137 kilobytes. It spreads by means of infected e-mails and within shared disks in local area networks (LANs).
In the latter case, it creates its copy (SirC32.exe) in \RECYCLED directories of the shared disks. To provide its activation it either adds the "@win \recycled\SirC32.exe" string into autoexec.bat file or renames rundll32.exe, replacing its name with "run32.exe". At the same time, the original file (rundll32.exe) is replaced by the copy of the worm (located in the \RECYCLED directory).
Infected e-mail contains attachment with the worm body. The attachment file has two extensions (a trick used quite often lately). The Subject of the infected message is the same as the name of the attached file. The message body contains a Spanish or English text depending on the preferred language setup. When Spanish is selected, the message body is in Spanish, otherwise it is in English. The message itself is composed of randomly selected predefined sentences with the first and last line of the message being the same all the time. The following sentences are used in English:
First sentence: | Hi! How are you ? | |
Last sentence : | See you later. Thanks | |
Remaining text: | I send you this file in order to have your advice | |
I hope you can help me with this file that I send | ||
I hope you like the file that I sendo you | ||
This is the file with the information that you ask for |
In Spanish mutation, the following sentences are used:
First sentence: | Hola como estas ? | |
Last sentence : | Nos vemos pronto, gracias. | |
Remaining text: | Te mando este archivo para que me des tu punto de vista | |
Espero me puedas ayudar con el archivo que te mando | ||
Espero te guste este archivo que te mando | ||
Este es el archivo con la informacion que me pediste |
Execution of the file in the attachment triggers activation of the worm. The worm creates its (Sirc32.exe) copy in the C:\RECYCLED directory and another copy (SCam32.exe) in the \SYSTEM subdirectory where the Windows operating system resides. The worms adds a new entry in the system registry, in particular, it adds the following item: Driver32=C:\WINDOWS\SYSTEM\SCam32.exe in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices key to provide for its subsequent repeated activation. The HKEY_CLASSES_ROOT\exefile\shell\open\command key is set at C:\recycled\SirC32.exe\ "%1\" %*", a trick that leads to the worm activation before any EXE file can be executed. The HKEY_LOCAL_MACHINE\Software\SirCam key serves the worm to store certain information on the infected computer (e.g. a number of actual executions of the worm, or its actual name).
To make things more complicated, the worm has several activation routines. One of them, active on October 16th) can lead to deletion of all files on disk C:. Another possible activation routine triggers creation of the "sircam.sys" file in the C:\RECYCLED directory with the following string
[SirCam_2rP_Ein_NoC_Rma_CuiTzeO_MicH_MeX]
or:
SirCam Version 1.0 Copyright (c) 2001 2rP Made in/Hecho en - Cuitzeo, Michoacan Mexico]
being written into it repeatedly, till all the free disk space is used up.
The worm is capable of retrieving e-mail addresses (used to mail itself to) in two ways:
CLEANING PROCEDURE
Before cleaning, download the following file: CLN_SIRC.COM by clicking at it.
This document describes cleaning of a computer infected with Sircam worm for the following two alternatives:
Case 1
Case 2
If NOD32, version 1.97 or higher is installed on an infected computer, the following approach to clean the infection will work: