Advarsel: SirCam-virus

[Håkon Aarøen]

hei alle!

Dette er en oppfølger til tråden om "regnskap 94.xls.pif", men anser den som såpass viktig at jeg får den opp i hovedemnelista. Mulig dette er gammelt nytt for mange av dere, men uansett. Her er litt info om SIRCAM-viruset.

W32/Sircam@mm

Description of the worm

This is a massmailing email worm. Once executed, it will make two initial copies of itself - one as <SYSTEM DIR>\\SCam32.DLL and one in the \\RECYCLED\\SIrc32.EXE. It sends itself to all users in the Windows Address Book and to other addresses found in temporary internet files. It also searches for shared drives and copies itself to those that it finds and gets access to.

Mail

When the worm is received over email, it will normally appear as a file with double extension, like <filename>.doc.com, <filename>.xls.pif, etc. The last extension will be one of the following : COM, EXE, BAT, PIF, LNK.

The worm executable is really prepended to a document, spreadsheet, or zip file from an infected person. That file will be written to disk and opened when the worm is executed so it seems like the mail contained an innocent attachment. This functionality may cause sensitive user data to be sent out.

The subject line contains only the file name of the attached file. Depending on language versions, the message body will be in English or Spanish.

The message body is composed of several lines that is slightly randomly mixed.

Hi! How are you?

I hope you can help me with this file that I send

I send you this file in order to have your advice

I hope you like the file that I sendo you

This is the file with the information that you ask for

See you later. Thanks

Shared drives

As mentioned above the worm copies itself over shared network drives as well. In those cases it copies the SIRC32.EXE file to the remote drive, and also, if possible, replaces the RUNDLL32.EXE on the remote machine with itself. The original RUNDLL32.EXE is copied to RUN32.EXE. The second time the worm gets executed it will copy the infected RUNDLL32.EXE to RUN32.EXE so the original copy of RUNDLL32.EXE will be overwritten with an SirCam infected file. The original RUNDLL32.EXE will then have to be restored from a backup or from another computer. It may also copy itself to other file names. It may also attempt to add a reference to itself in the AUTOEXEC.BAT file.

Destructivity

This worm can be rather destructive. The destructive routine activates October 16th, and will in some cases delete all files on the C: drive.

M.a.o, dette kan spre dokumenter, slette filer og sette ned hastigheten på PC'en din.

Jeg fikk dette viruset infisert, da jeg ved en miss kom til å dobbeltklikke på vedlegget. Det så ut som alt gikk bra da Windows ikke fant filtypen og spurte meg om dette. Falsk trygghet. Jeg sjekka for sikkerhetsskyld med virusprogrammet, og jada, maskinen var infisert.

På linken under finner du et program som enkelt og greit renser sjekker og maskinen for dette viruset, samt mer utfyllende info om dets egenskaper!

http://www.sarc.com/avcenter/venc/data/w32.sircam.worm@mm.html" TARGET=_blank>Symantec

mvh Håkon (som beklager hvis dette irriterte alle "datavitere" på forumet som hadde hørt om dette for lenge siden!)

[ 27-08-2001: Endret av: Håkon Aarøen ]