TUCoPS :: Malware :: al200112.txt

AusCERT Alert 2001.12 W32.Sircam.Worm@mm Virus 

-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T
                                      
                        AL-2001.12  --  AUSCERT ALERT 
                          W32.Sircam.Worm@mm Virus
                                24 July 2001

===========================================================================

PROBLEM:  

	AusCERT has received significant numbers of reports in the last
	few hours of a new Win32 based virus named "SirCam", thus indicating
	that it may be propagating rapidly. Large numbers of Australian and
	New Zealand sites have reported detecting this virus, however
	we have received few reports of actual infection.

	SirCam propagates via email using Microsoft Outlook or Outlook
	Express, sending copies of itself to all addresses listed in
	the infected machine's address book. The message sent is in the
	following format:

		Subject: <Filename without extension>
	
		Hi! How are you?
	
		I send you this file in order to have your advice OR
		I hope you can help me with this file that I send OR
		This is the file with the information that you ask for

		See you later. Thanks

	This text may also be in Spanish.

	The message contains an attachment that appears to be an Office
	document, Zip file or an executable. The name of the file is the
	same as the subject line, and is randomly chosen from the infected
	machine. The attachment has an executable extension (such as .exe,
	.bat, .com, .pif or .lnk). So, for instance, if SirCam infected a
	file named "My Private Information.doc", the subject of the message
	would be "My Private Information", and the attachment would be
	named "My Private Information.doc.exe" (.exe may be replaced by
	any of the other executable extensions).

	The attachment is the SirCam virus, but also contains the original
	file. When run, the virus extracts the original file and launches
	it using the appropriate program (for instance a .doc file will
	be opened with Word or Wordpad) so that it appears to be a valid
	file.

	In the background the virus copies itself into the temporary,
	system and recycle bin directories. It then alters the registry,
	creating keys to ensure it is run on startup, storing information
	it needs to run and ensuring it is run whenever a file with the
	.exe extension is run. Once this is done, it will attempt to spread
	itself to any computers networked to the infected system.

	There is then a one in thirty-three chance that the SirCam virus
	will copy itself to the Startup folder with the name of "Microsoft
	Internet Office.exe", and then create the file
	"C:\recycled\Sircam.sys". This file will then be filled with text
	until there is no space remaining on the drive.

	There is also a one in twenty chance that on the 16th of October of
	any year SirCam will delete all files and folders on the C drive of
	the infected machine. This will only occur on machines that use a
	date format of DD/MM/YYYY. Any other forms (such as MM/DD/YYYY) will
	not trigger this effect.

	Once all this has been completed, the virus begins sending itself
	out to other computers. It does so by scanning the internet cache
	and address books for email addresses, and choosing a random Office
	document, Zip file or program. This file is then appended to the virus
	body, and is sent off to the addresses harvested. This is done 8000
	times before the virus stops.


PLATFORM:

	SirCam is a Win32 executable and poses a threat to Microsoft
	Windows operating systems that run Win32 (32-bit) applications.
	These systems include, but are not limited to Windows ME, Windows
	NT4 and Windows 2000.


IMPACT:

	SirCam has the ability to degrade network and system performance,
	delete files, and distribute potentially confidential information.


RECOMMENDATIONS:


	A. Detection

	To check if you have the SirCam virus, either use your virus scanner
	with a recent update (check with your vendor to ensure the scanner
	can detect SirCam), follow any instructions supplied by virus scanner
	vendors (see the links below) or use the following steps:

	Step 1: Open a command prompt and type the following:

		copy %windir%\regedit.exe %windir%\regedit.com
		start -w %windir%\regedit.com

	This should open the Registry Editor. Regedit.exe must be copied to
	Regedit.com because SirCam registers itself as the program for
	opening files with an extension of .exe, thus acting as a Trojan
	Horse. Please note that the .exe file may not actually be infected
	by the virus.

	Step 2: In the left hand pane, expand the entry "HKEY_LOCAL_MACHINE",
	and then expand the "SOFTWARE" entry under that. If there is a key
	under "SOFTWARE" with the name "SirCam" your machine may be infected.

	Step 3: Close the Registry Editor and then remove the copy of
	Regedit by entering the following command at the command prompt.
	Note: Do *not* delete the file %windir%\regedit.exe.

		del %windir%\regedit.com

	Step 4: Check if the system has been infected over a network share
	by running the following command (note that this should be done for
	any drives that have an autoexec.bat file in the root directory):

		edit \autoexec.bat

	Step 5: Look for a line that says:

		@win \recycled\sirc32.exe

	If it is present your system may be infected.


        B. Recovery

	If you detect SirCam on one machine, it is vital to check for the
	presence of the virus on *all* potentially affected systems,
	including systems connected via network shares to the infected
	machine. This may be accomplished using a current version of an
	anti-virus program that is certified by the vendor to detect them,
	or following the recovery steps listed at the following sites:

	http://www.europe.f-secure.com/v-descs/sircam.shtml
	http://vil.mcafee.com/dispVirus.asp?virus_k=99141&
	http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html
	http://www.sophos.com/virusinfo/analyses/w32sircama.html
	http://www.cai.com/virusinfo/encyclopedia/descriptions/s/sircam137216.htm
	http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SIRCAM.A
	http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=TROJ_SIRCAM.A


	C. User Education

	System Administrators are urged to inform their users about proper
	precautions with regards to handling email attachments.

	AusCERT recommends that sites should update and check their virus
	defences and either delete or quarantine any email messages or
	attachments that resemble those described above or in the following
	links.

	D. Update Anti-Virus Packages

	System administrators and users are urged to ensure that the latest
	Anti-Virus software is installed and that it is using the most
	current up-to-date virus databases.

	More information can be found at:

	http://www.europe.f-secure.com/v-descs/sircam.shtml
	http://vil.mcafee.com/dispVirus.asp?virus_k=99141&
	http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html
	http://www.sophos.com/virusinfo/analyses/w32sircama.html
	http://www.cai.com/virusinfo/encyclopedia/descriptions/s/sircam137216.htm
	http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SIRCAM.A
	http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=TROJ_SIRCAM.A

	AusCERT is continuing to monitor this problem. 

- ---------------------------------------------------------------------------
For more information contact your Anti-Virus software vendor.
- ---------------------------------------------------------------------------

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this
document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT
and AusCERT Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
		hours which are GMT+10:00 (AEST).  On call
		after hours for emergencies.
						       
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA
===========================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBO2WY8Sh9+71yA2DNAQFNfwQAg+2AkLDzsVYhves3HQ/Qyq8RTsWBOqAn
nW72vL9IzDfg96lhi6JBxgJAJU6PvU/l0Fh1X5l3gmEr+5pDsIFgNWYSi3rcPu7m
KHVwUnSqgUWb8FiYHtKwMw7Y8OPmylmVSXDoT1toX9sRwE44e6KpwfDGrR5USbkQ
N+AMJkrJz74=
=b4Kc
-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH