Avatar billede mbluhme Nybegynder
24. juli 2001 - 11:32 Der er 5 kommentarer og
2 løsninger

Windows kan ikke finde SirC32.exe, er dette en VIRUS

Jeg kan ikke starte noget program i Windows , jeg får meldingen at windows ikke kan finde SirC32.exe som skal bruges til at starte filer af typen program. Har jeg fået Virus på min PC.
Avatar billede NanoQ Nybegynder
24. juli 2001 - 11:34 #1
sikker på den hedder SirC32?
Avatar billede mbluhme Nybegynder
24. juli 2001 - 11:35 #2
Ja jeg er sikker
Avatar billede bbs Nybegynder
24. juli 2001 - 11:35 #3
Det behøver langt fra at være virus ..
Hvis du har Windows CD\'en så geninstaller windows, der er ingen data der vil gå tabt af det, og problemet vil muligvis være løst ..
Avatar billede lhawk Nybegynder
24. juli 2001 - 11:36 #4
Ja, du har fået I-Worm.Sircam.A
Tjek følgende i regedit :
HKCR\\exefile\\shell\\open\\command\\Default=\"c:\\recycled\\SirC32.exe\"
\"%1\" %*   

HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\\Driver32
=c:\\windows\\system\\SCam32.exe

Få fat i en opdatering til dit virusprogram og fjern ormen. Den er ret ny.
Avatar billede mbluhme Nybegynder
24. juli 2001 - 11:37 #5
Jeg har søgt på andre Windows 98 Pc\'er uden at kunnde finde filen. Derfor tror jeg ikke at en geninstallation vil virke !!
Avatar billede lhawk Nybegynder
24. juli 2001 - 11:38 #6
Det må siges at være godt at du ikke kan finde den på andre :)
Avatar billede NanoQ Nybegynder
24. juli 2001 - 11:39 #7
Her var alligevel noget:
F-Secure Virus Descriptions


  Alphabetical Index
Select from the list Letter A Letter B Letter C Letter D Letter E Letter F Letter G Letter H Letter I Letter J Letter K Letter L Letter M Letter N Letter O Letter P Letter Q Letter R Letter S Letter T Letter U Letter V Letter W Letter X Letter Y Letter Z Number 1 Number 2 Number 3 Number 4 Number 5 Number 6 Number 7 Number 8 Number 9 Number 0 Other Latest 50

NAME: Sircam
ALIAS: I-Worm.Sircam, W32.Sircam, W32/SircCam

Sircam is a mass mailing e-mail worm with the ability of spreading through Windows Network shares. The worm\'s body is 137216 bytes long but when it comes as an e-mail attachment, it larger in size due to a document that is attached to its body.

When the worm runs on a clean system it copies itself to different locations with different names:

1. The worm copies itself as \'SirC32.exe\' to \\Recycled\\ folder. The default EXE file startup Registry key:



[HKCR\\exefile\\shell\\open\\command]

is changed to \'\"\"[windows_drive]\\recycled\\SirC32.exe\" \"%1\" %*\"\'. This is done to activate a worm\'s copy every time an EXE file is started.

2. The worm copies itself as \'SCam32.exe\' in the System directory. The worm then creates a startup key for this file in the Registry to be started during all Windows sessions:



[HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices]
\"Driver32\" = \"<windows_system_dir_name>\\SCam32.exe\"

3. The worm copies itself as \'rundll32.exe\' file to Windows directory. The original \'rundll32.exe\' file is renamed to \'run32.exe\'. This copy exists only if a computer got infected through a network share (see below).

4. Sometimes (once out of 33 cases) the worm places its copy to Windows directory with the \'ScMx32.exe\' name. In this case another copy of the worm is created in the current user\'s personal startup folder as \'Microsoft Internet Office.exe\'. This copy will be started when a user who got infected logs into a system.

When a Sircam-infected e-mail attachment is opened it shows the document it picked up from the sender machine\'s. The file is displayed with the appropiate program according to it\'s extension:



\'.DOC\': WinWord.exe or WordPad.exe
\'.XLS\': Excel.exe
\'.ZIP\': winzip.exe

This effectively disguises the worm\'s activity. While the user is checking the document the system get infected (as described above).

The worm uses Windows Address Book to collect e-mail addresses (\'*.wab files). The worm also tries to look for e-mail addresses in \\Temporary Internet Files\\ folder (\'sho*\', \'get*\', \'hot*\', \'*.html\'). If a user has a working e-mail account the worm reads the its setting. Otherwise the \'[username]@prodigy.mx.net\' is used as the default sender\'s address and \'prodigy.net.mx\' is used for the SMTP server name.

The worm collects a list of files with certain extensions (\'.DOC\', \'.XLS\', \'.ZIP\') into fake DLL files named \'sc*.dll\'. The worm then sends itself out with one of the document files it found in a users\'s \'My Documents\' folder.

Messages sent by Sircam look like this:



From: [user@address]
To: [user@address]
Subject: [document name without extension]



Hi! How are you?



\'I send you this file in order to have your advice\'

or

\'I hope you can help me with this file that I send\'

or

\'I hope you like the file that I sendo you\'

or

\'This is the file with the information that you ask for\'



See you later. Thanks

If a system\'s language is set to Spanish the worm sends messages in Spanish:



Hola como estas ?



\'Te mando este archivo para que me des tu punto de vista\'

or

\'Espero me puedas ayudar con el archivo que te mando\'

or

\'Espero te guste este archivo que te mando\'

or

\'Este es el archivo con la informaci n que me pediste\'



Nos vemos pronto, gracias.

The attached file has the name of a picked document file with a double extension like \'.DOC.EXE\', \'.XLS.PIF\'. The \'.COM\', \'.BAT\', \'.PIF\' and \'.LNK\' are used as second (executable) extensions. Since the worm can pick any of the user\'s personal document it migh send out confidential information.

This worm also uses Windows network shares to spread. When doing this, it first enumerates all the network shares available to the infected computer. If there there is a writeable \\recycled\\ folder on a share, a copy of the worm is put to \\\\[share]\\recycled\\\' folder as \'SirCam32.exe\' file. The \\\\[share]\\autexec.bat file is appended with an extra line: \'@win \\recycled\\SirC32.exe\', so next time when an infected computer is rebooted the worm will be started. The worm also copies itself as \'rundll32.exe\' file to Windows directory of a remote system. The original \'rundll32.exe\' file is copied to \'run32.exe\' before that.

The worm has two payloads. On 16th of October in one case out of 20 it deletes everything from the drive where Windows is installed. On any other day in one of 50 cases it fills up the drive where Windows is installed. In this case it creates a file called \'<windows drive>:\\recycled\\sircam.sys\' and continuosly fills it with one of below given text strings until the hard drive space is consumed.



\'[SirCam_2rP_Ein_NoC_Rma_CuiTzeO_MicH_MeX]\'

or



\'[SirCam Version 1.0 Copyright  2001 2rP  Made in / Hecho en
  - Cuitzeo, Michoacan Mexico]\'

Removal instructions:

If your system is infected with the worm first please download this REG file and install it (by double-clicking on it):

ftp://ftp.europe.f-secure.com/anti-virus/tools/sirc_dis.reg

This will remove the worm\'s reference from the EXE file startup key and the main worm\'s startup key in the Registry.

Warning! The system might become unusable if the worm\'s file is deleted without modifying the EXE file startup key first.

After that the system can be safely disinfected with FSAV. If for some reason the worm\'s file can\'t be deleted from Windows (locked file), then you have to exit to pure DOS and delete the worm\'s file manually or use a DOS-based scanner (F-Prot for DOS for example). All worm files has to be deleted or renamed.

If a workstation was infected trough a network share \'\\windows\\run32.exe\' has to be renamed back to \'\\windows\\rundll32.exe\' after disinfection.

The extra line in \'autoexec.bat\' file that starts the worm from \\recycled\\ folder should be removed also.

Network infection prevention:

If a network is infected and it is not possible to take it down to disinfect all workstations, the following method can prevent the worm from spreading to clean workstations:

In the \\Recycled\\ folder of a drive where Windows is installed, it is needed to create a dummy file with SIRC32.EXE name and read-only attribute.

[Analysis: Gergely Erdelyi, Alexey Podrezov; F-Secure Corp.; July 18-23, 2001]


NanoQ
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview
Kategori
IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Du kan også logge ind via nedenstående tjenester