is the mass-mailing worm originated probably in Mexico. It is written in Delphi and is about 134 kB long. It is able to sends itself together with randomly selected local file to all users found in the Windows Address Book and email addresses in temporary Internet cached files.

It arrives via an email message containing the following information:

Subject: [random filename]
Body: Hi! How are you?

I send you this file in order to have your advice or
I hope you can help me with this file that I send or
I hope you like the file that I sendo you or
This is the file with the information that you ask for

See you later. Thanks

If the local language is set to Spanish, the same message is sent out in Spanish.

Infected message contains an attachment with a double extension, the first extension will be the same as the file appended behind the virus has. Second extension (hidden by default) is the executable one (EXE, COM, PIF, BAT, LNK). The worm itself is on the beginning of the attachment with the additional random file on the end. When executed, the worm saves itself into the C:\RECYCLED directory and then restores the original of the additional file. It is able to execute it (in case of EXE) or open it with associated application to hide its presence in the system. Worm then copies itself to the C:\RECYCLED\SirC32.exe file. It changes the registry in order to be executed whenever EXE files are run (similar to Win32:PrettyPark):
HKCR\exe\file\shell\open\command\ Default="C:\Recycled\SirC32.exe" "%1" %*

Worm also creates a copy of itself to the C:\Windows\System directory under the name SCam32.exe and adds the registry key value in order to load itself automatically:
HKLM\Software\Microsoft\Windows\CurrentVersion\ Run\Services\Driver32=C:\WINDOWS\SYSTEM\SCam32.exe

Win32:Sircam then creates a list of GIF, JPG, JPEG, MPEG, MOV, MPG, PDF, PNG, PS, andZIP files found in the My Documents folder and saves it to the file SCD.DLL in the system directory. It also gathers all email addresses from the above mentioned resources and saves them to the file SCD1.DLL in the system directory.

The worm attaches a copy of the file mentioned in the SCD.DLL file to its end and sends such file to all email addressed found. It uses its own SMTP routine to do this. Worm is also able to spread in the Local Area Network via shared disks.

The worm also creates an additional registry key used to store some variables for itself:

We advice you to reboot the computer in the Safe mode and to do the following steps:

  • Copy file Regedit.exe to in the Windows directory.
  • Start program
  • Find and select the following key: HKEY_CLASSES_ROOT\exe\file\shell\open\command.
  • Double-click the (Default) value in the right panel.
  • Delete the current value data, and then type: "%1" %* (quote-percent-one-quote-space -percent-asterisk).
  • Find and select the following key: HKEY_LOCAL_MACHINE\Software\SirCam.
  • Delete the whole SirCam item.
  • Find and select the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\RunServices.
  • Delete the Driver32 item found there.
  • Start program Notepad.exe and open the file c:\autoexec.bat file.
  • If it contains the line @win \Recycled\sirc32.exe, delete this line.
  • Start the Avast32 program with the latest virus database. Delete all the infected files found.
  • If there is a file RUN32.EXE in Windows folder, rename it back to to RUNDLL32.EXE.
Any avast! with VPS file dated on or after 22nd July 2001 is able to detect this virus.

Refer: Avast

Copyright © 2004-2004 All rights reserved.
Valid HTML 4.01! Click here to validate current page. Best viewed with ANY browser! Valid CSS! Click here to validate current CSS.