WIN32/SIRCAM

Win32/Sircam is a dangerous worm written in Delphi. The length of the worm is close to 137 kilobytes. It spreads by means of infected e-mails and within shared disks in local area networks (LANs).

In the latter case, it creates its copy (SirC32.exe) in \RECYCLED directories of the shared disks. To provide its activation it either adds the "@win \recycled\SirC32.exe" string into autoexec.bat file or renames rundll32.exe, replacing its name with "run32.exe". At the same time, the original file (rundll32.exe) is replaced by the copy of the worm (located in the \RECYCLED directory).

Infected e-mail contains attachment with the worm body. The attachment file has two extensions (a trick used quite often lately). The Subject of the infected message is the same as the name of the attached file. The message body contains a Spanish or English text depending on the preferred language setup. When Spanish is selected, the message body is in Spanish, otherwise it is in English. The message itself is composed of randomly selected predefined sentences with the first and last line of the message being the same all the time. The following sentences are used in English:

  First sentence: Hi! How are you ?
  Last sentence : See you later. Thanks
  Remaining text: I send you this file in order to have your advice
    I hope you can help me with this file that I send
    I hope you like the file that I sendo you
    This is the file with the information that you ask for

In Spanish mutation, the following sentences are used:

  First sentence: Hola como estas ?
  Last sentence : Nos vemos pronto, gracias.
  Remaining text: Te mando este archivo para que me des tu punto de vista
    Espero me puedas ayudar con el archivo que te mando
    Espero te guste este archivo que te mando
    Este es el archivo con la informacion que me pediste

Execution of the file in the attachment triggers activation of the worm. The worm creates its (Sirc32.exe) copy in the C:\RECYCLED directory and another copy (SCam32.exe) in the \SYSTEM subdirectory where the Windows operating system resides. The worms adds a new entry in the system registry, in particular, it adds the following item: Driver32=C:\WINDOWS\SYSTEM\SCam32.exe in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices key to provide for its subsequent repeated activation. The HKEY_CLASSES_ROOT\exefile\shell\open\command key is set at C:\recycled\SirC32.exe\ "%1\" %*", a trick that leads to the worm activation before any EXE file can be executed. The HKEY_LOCAL_MACHINE\Software\SirCam key serves the worm to store certain information on the infected computer (e.g. a number of actual executions of the worm, or its actual name).

To make things more complicated, the worm has several activation routines. One of them, active on October 16th) can lead to deletion of all files on disk C:. Another possible activation routine triggers creation of the "sircam.sys" file in the C:\RECYCLED directory with the following string

[SirCam_2rP_Ein_NoC_Rma_CuiTzeO_MicH_MeX]

or:

SirCam Version 1.0 Copyright (c) 2001 2rP Made in/Hecho en - Cuitzeo, Michoacan Mexico]

being written into it repeatedly, till all the free disk space is used up.

The worm is capable of retrieving e-mail addresses (used to mail itself to) in two ways:

  1. from the files with "wab" extensions (containing the e-mail addresses) or,
  2. form certain files on the disk.

CLEANING PROCEDURE

Before cleaning, download the following file: CLN_SIRC.COM by clicking at it.

This document describes cleaning of a computer infected with Sircam worm for the following two alternatives:

  1. NOD32 Antivirus System is not installed on the infected computer or the installed version is lower than version 1.97
  2. NOD32, version 1.97 is installed on the infected computer

Case 1

  1. Close all running applications
  2. If NOD32 is not installed on your computer, then you need to download and install the full or the trial version NOD32 Antivirus System. During the installation, disable the option of "Automatic execution of AMON upon system startup". This option should be enabled after cleaning. Restart your computer and follow instructions presented in step 4 below.
  3. If NOD32 is installed on your computer and AMON module is running (i.e. the "Red Cross" icon is present in the system taskbar), click at the icon, and double click at the pulsing Amon logo. This will disable the resident module temporarily.
  4. Do NOT restart your computer while carrying out the following four steps (5-8)!
  5. Using NOD32 Control Center update your system to version 1.97 (or higher, if applicable).
  6. Run the CLN_SIRC.COM program by clicking at its icon.
  7. Run NOD32, and have all disks cleaned. Delete all the programs containing Sircam worm.
  8. Run the cleaning program: CLN_SIRC.COM again.
  9. Restart your computer.
  10. Make sure, that the AMON module is active. (activation of Amon on Windows NT/2000 platforms is achieved by double clicking at the Amon frozen logo - see step 3 above).


Case 2

If NOD32, version 1.97 or higher is installed on an infected computer, the following approach to clean the infection will work:

  1. Run the CLN_SIRC.COM from a diskette (you will have to download the file and save on a diskette).
  2. Run NOD32 on-demand scanner, use the clean option and delete from the disk all the programs containing Sircam worm.
  3. Run the cleaning program: CLN_SIRC.COM again.
  4. Restart your computer.