SirC32

Det er en virus

Tror du?

http://securityresponse.symantec.com/avcenter/venc

1. It creates copies of itself as %TEMP%\\<File name> and C:\\Recycled\\<file name>, which contain the attached document. This document is then run using the program registered to handle the specific file type. For example, if it is saved as a file with the .doc extension, it will run using Microsoft Word or Wordpad. A file with the .xls extension will open in Excel, and one with the .zip extension will open in your default zip program, such as WinZip.

NOTE: The term %TEMP% is the Temp variable, and means that the worm will save itself to the Windows Temp folder, whatever its location. The default is C:\\Windows\\Temp.

2. It copies itself to C:\\Recycled\\Sirc32.exe and %System%\\Scam32.exe.

NOTE: %System% is also a variable. The worm will locate the \\System folder (by default this is C:\\Windows\\System) and copy itself to that location.

3. It adds the value

Driver32=%System%\\scam32.exe

to the following registry key:

HKEY_LOCAL_MACHINE\\SOFTWARE\\
Microsoft\\Windows\\CurrentVersion\\RunServices

4. It creates the following registry key:

HKEY_LOCAL_MACHINE\\Software\\SirCam

with the following values:
FB1B - Stores the file name of the worm as stored in the Recycled directory.
FB1BA - Stores the SMTP IP address.
FB1BB - Stores the email address of the sender.
FC0 - Stores the number of times the worm has executed.
FC1 - Stores what appears to be the version number of the worm.
FD1 - Stores the file name of worm that has been executed, without the suffix.
FD3 - Stores a value corresponding to the current state of the worm.
FD7 - Stores the number of mails that have been sent prior to any interruption of this process.

5. The (Default) value of the registry key

HKEY_CLASSES_ROOT\\exefile\\shell\\open\\command

is set to

C:\\recycled\\sirc32.exe \"%1\" %*\"

This enables the worm to execute itself any time that an .exe file is run.

6. The worm is network aware, and it will enumerate the network resources to infect shared systems. If any are found, it will do the following:
Attempt to copy itself to <Computer>\\Recycled\\Sirc32.exe
Add the line \"@win \\recycled\\sirc32.exe\" to the file <Computer>\\Autoexec.bat
Copy <Computer>\\Windows\\Rundll32.exe to <Computer>\\Windows\\Run32.exe
Replace <Computer>\\Windows\\rundll32.exe with C:\\Recycled\\Sirc32.exe

7. There is a 1 in 33 chance that the following actions will occur:
The worm copies itself from C:\\Recycled\\Sirc32.exe to %Windows%\\Scmx32.exe
The worm copies itself as \"Microsoft Internet Office.exe\" to the folder referred to by the registry key:

HKEY_CURRENT_USER\\Software\\Microsoft\\
Windows\\CurrentVersion\\Explorer\\
Shell Folders\\Startup

8. There is a 1 in 20 chance that on October 16th of any year, the worm will recursively delete all files and folders on the C drive.
This payload functions only on computers which use the date format D/M/Y (as opposed to M/D/Y or similar formats).

Additionally, the payload will always activate immediately, regardless of date and date format, if the file attached to the worm contains the sequence \"FA2\" without the letters \"sc\" following immediately.

NOTE: Due to a bug in the initialization of a random number generator, it is highly unlikely that the file deleting, and space filling payloads of this threat will ever be activated.

9. If this payload activates, the file C:\\Recycled\\Sircam.sys is created and filled with text until there is no remaining disk space. The text is one of two strings:
[SirCam_2rp_Ein_NoC_Rma_CuiTzeO_MicH_MeX]
or
[SirCam Version 1.0 Copyright ¬ 2000 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico]

10. The worm contains its own SMTP engine which is used for the email routine. It obtains email addresses through two different methods:

It searches the folders that are referred to by the registry keys

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Cache

and

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Personal

for sho*., get*., hot*., *.htm files, and copies email addresses from there into the file %system%\\sc?1.dll

where ? is a different letter for each location, as follows:

scy1.dll: addresses from %cache%\\sho*., hot*., get*.
sch1.dll: addresses from %personal%\\sho*., hot*., get*.
sci1.dll: addresses from %cache%\\*.htm
sct1.dll: addresses from %personal%\\*.htm

It searches %system% and all subfolders for *.wab (all Windows Address Books) and copies addresses from there into %system%\\scw1.dll.

11. It searches the folders referred to by the registry keys:

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Personal

and

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Desktop

for files of type .doc, .xls, and .zip, and stores the filenames in %system%\\scd.dll. One of these files will be appended to the worm\'s original executable and this new file will be sent as the email attachment.

The From: email address and mail server are taken from the registry. If no email account exists, then the current user name will be prepended to \"prodigy.net.mx\", eg if the current user logged on as JSmith, then the address will be \"jsmith@prodigy.net.mx\". Then the worm will attempt to connect to a mail server. This will be either the mail server taken from the registry, or one of

prodigy.net.mx
goeke.net
enlace.net
dobleclick.com.mx

The language used for the mail depends on the language used by the sender. If the sender uses Spanish, then the mail will be in Spanish, otherwise it will be in English. The attachment is chosen randomly from the list of files in the scd.dll.

http://securityresponse.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html

http://www.virus112.dk/index.php?page=artikel&artid=247&tema=10
http://www.virus112.dk/index.php?page=artikel&artid=244&tema=10

http://www.it-avisen.dk/nyheder.asp?id=2477

http://www.symantec.com/

Hvad gør jeg så?

http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.removal.tool.html

To obtain and run the tool:

1. Go to http://www.sarc.com/avcenter/FixSirc.com
2. Download the Fixsirc.com file to a convenient location, such as your download folder or the Windows desktop. If you are on a network, the removal tool should be applied on all computers, including the server.
3. To check the authenticity of the digital signature, refer the section The digital signature.
4. Close all programs before running the tool, including any antivirus scanners such as NAV Auto-Protect.

CAUTION: Do not skip this step (but also see the note that follows this caution). You must disable Auto-Protect before you run the tool. For instructions, see the document How to enable and disable Norton AntiVirus Auto-Protect.

NOTE: There is one exception to the requirement that you must disable Auto-Protect: If NAV has detected and quarantined the virus and NAV is no longer running due to the registry change that was made by the worm, you will not be able to disable Auto-Protect as it will not be running. However, you must make sure that NAV Auto-Protect is disabled by attempting to disable it as previously described.

5. If you are on a network, or have a full time connection to the Internet, disconnect the computer from the network and the Internet. Disable or password protect file sharing before reconnecting computers to the network or to the internet. Because this worm spreads by using shared folders on networked computers, to ensure that the worm does not reinfect the computer after it has been removed, Symantec suggests sharing with read-only access or using password protection. For instructions on how to do this, see your Windows documentation or the document How to configure shared Windows folders for maximum network protection.

CAUTION: Do not skip this step. You must disconnect from the network befor running the tool.

6. If you are using Windows Me, then disable System Restore. Please refer the section System Restore option in Windows Me for additional details.

NOTE: If you are running Windows Me, we strongly recommend that you do not skip this step.

7. Double-click the Fixsirc.com file to start the removal tool.

NOTE: If you downloaded the tool to a floppy disk, and want to run it from the floppy, see the section How to run the tool from a floppy disk at the end of this document for special instructions.

NOTE: If you are using Windows Me, and the System Restore remains enabled, you will see a warning message. You can choose to run the removal tool with the System Restore option enabled or exit the removal tool.

8. Click Start to begin the process, and then allow the tool to run.
9. If you are using Windows Me, then reenable System Restore.
10. Reenable Auto-Protect

NOTE:
If you see a message that the tool must re run in Safe mode, restart the computer in Safe mode and run the tool again. Please follow this instruction to ensure that the virus does not reinfect the computer. To restart in Safe mode, see the document How to restart Windows 9x or Windows Me in Safe Mode
The removal procedure might be unsuccessful in case of enabled System Restore under Windows\'ME because Windows prevents System Restore from being modified by outside programs. Because of this, any worm removal attempts made by the removal tool might fail.
When the procedure is finished, the removal tool may detect that you are using Windows\'ME and the System Restore remains disabled. In this case, you will see the reminder message to reenable this option.
If you need to run the tool in login scripts or batch files with no messages displayed, then use the following command line syntax for the \"Silent\" mode:
Fixsirc.com /s

When the tool has finished running, you will see a message indicating whether the computer was infected by the W32.Sircam.Worm@mm worm. In the case of a removal of the worm, the program displays the following results:
The total number of the scanned files.
The number of deleted files.
The number of registry keys that were fixed.

What the tool does
The W32.Sircam.Worm@mm removal tool does the following:
1. It scans and deletes files infected with the W32.Sircam.Worm@mm worm.

2. The tool removes the following registry key:

HKEY_LOCAL_MACHINE\\Software\\SirCam

3. In the registry key

HKEY_LOCAL_MACHINE\\Software\\Microsoft\\
Windows\\CurrentVersion\\RunServices

it deletes the following value:

Driver32

4. In the registry key

HKEY_CLASSES_ROOTexefile\\shell\\open\\command

the tool modifies the [Default] value by setting it to:

\"%1\" %*

5. The tool removes the line \"@win \\recycled\\sirc32.exe\" from the C:\\Autoexec.bat file.
6. The tool restores Rundll32.exe file, renamed by the worm.

Har du ikke et Antivirus program?

Det ved jeg ikke da det er min mors PC....
det skal jeg lige have fundet ud af, og få installeret et...

Takker for Pointz! ;o)

nok en meget god ide at få et antivirus program! *S*

rkhdk, keder du dig endnu? ho ho ho hoe, Godt Nytår :)