Yes....yes it is
-----Original Message-----
From: Q-LABS TechLists [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 31, 2001 1:00 PM
To: NT System Admin Issues
Subject: Re: W32.Sircam.Worm@mm
> >
> > W32.Sircam.Worm@mm
> > Discovered on: July 17, 2001
> > Last Updated on: August 21, 2001 at 03:13:03 PM PDT
> >
> > Due to an increased rate of virus submissions, The Symantec
> AntiVirus
> > Research Center (SARC) has upgraded W32.Sircam.Worm@mm from a level
> > 3 to
a
> > level 4 virus threat.
> >
> > W32.Sircam.Worm@mm contains its own SMTP engine, and
> > propagates in
a
> > manner similar to the W32.Magistr.Worm.
> > Due to what appears to be a bug, this worm does not replicate
under
> > Windows NT or 2000.
> >
> > SARC has created a tool to remove this worm.
> >
> > CAUTION: In some cases, if you have had NAV quarantine or
> > delete infected files, you will not be able to run .exe files,
> > however you will still be able to run the removal tool.
> >
> > To obtain the W32.Sircam.Worm@mm removal tool, please click
> > here.
> >
> >
> > Also Known As: W32/SirCam@mm, Backdoor.SirCam
> >
> > Type: Worm
> >
> > Virus Definitions: July 17, 2001
> >
> > Threat Assessment:
> >
> >
> > Wild:
> > High Damage:
> > Medium Distribution:
> > High
> >
> >
> > Wild:
> >
> > a.. Number of infections: More than 1000
> > b.. Number of sites: More than 10
> > c.. Geographical distribution: Medium
> > d.. Threat containment: Moderate
> > e.. Removal: Moderate
> > Damage:
> >
> > a.. Payload Trigger: 1) October 16th, or some attached file
> > contents, triggers file deletion payload. 2) If the file deletion
occured,
> > or after 8000 executions, triggers the space filler payload.
> > b.. Payload:
> > a.. Large scale e-mailing: The worm appends a random
> > document
> from
> > the infected PC to itself and sends this new file via email
> > b.. Deletes files: 1 in 20 chance of deleting all files
> > and directories on C:. Only occurs on systems where the date is
> > October 16
and
> > which are using D/M/Y as the date format. Always occurs if attached
> > file contains "FA2" not followed by "sc".
> > c.. Degrades performance: 1 in 50 chance of filling all
> remaining
> > space on the C: drive by adding text to the file
c:\recycled\sircam.sys
> > d.. Releases confidential info: It will export a random
document
> > from the hard drive by appending it to the body of the worm
> > Distribution:
> >
> > a.. Subject of email: Random subject - the filename of the
> > attachment
> > b.. Name of attachment: A file from the sender's computer
> > with
the
> > extension .bat, .com, .lnk, or .pif added to it.
> > c.. Size of attachment: at least 134kb long
> > d.. Shared drives: searchs for shared drives and copies
> > itself
to
> > those it finds
> >
> > Technical description:
> >
> > This worm arrives as an email message with the following
> > content:
> >
> > Subject: The subject of the email will be random, and will be
> > the
> same
> > as the file name of the email attachment.
> > Attachment: The attachment is a file taken from the sender's
> computer
> > and will have the extension .bat, .com, .lnk or .pif added to it.
> > Message: The message body will be semi-random, but will always
> contain
> > one of the following two lines (either English or Spanish) as the
> > first
> and
> > last sentences of the message.
> >
> > Spanish Version:
> > First line: Hola como estas ?
> > Last line: Nos vemos pronto, gracias.
> >
> > English Version:
> > First line: Hi! How are you?
> > Last line: See you later. Thanks
> >
> > Between these two sentences, some of the following text may
appear:
> >
> > Spanish Version:
> > Te mando este archivo para que me des tu punto de vista
> > Espero me puedas ayudar con el archivo que te mando
> > Espero te guste este archivo que te mando
> > Este es el archivo con la informaci=n que me pediste
> >
> > English Version:
> > I send you this file in order to have your advice
> > I hope you can help me with this file that I send
> > I hope you like the file that I sendo you
> > This is the file with the information that you ask for
> >
> > When run, the worm performs the following actions:
> >
> >
> > 1. It creates copies of itself as %TEMP%\<File name> and
> > C:\Recycled\<file name>, which contain the attached document. This
> document
> > is then run using the program registered to handle the specific file
type.
> > For example, if it is saved as a file with the .doc extension, it
> > will
run
> > using Microsoft Word or Wordpad. A file with the .xls extension will
open
> in
> > Excel, and one with the .zip extension will open in your default zip
> > program, such as WinZip.
> >
> > NOTE: The term %TEMP% is the Temp variable, and means that
> > the
> worm
> > will save itself to the Windows Temp folder, whatever its location.
> > The default is C:\Windows\Temp.
> >
> > 2. It copies itself to C:\Recycled\Sirc32.exe and
> > %System%\Scam32.exe.
> >
> > NOTE: %System% is also a variable. The worm will locate the
> \System
> > folder (by default this is C:\Windows\System) and copy itself to
> > that location.
> >
> > 3. It adds the value
> >
> > Driver32=%System%\scam32.exe
> >
> > to the following registry key:
> >
> > HKEY_LOCAL_MACHINE\SOFTWARE\
> > Microsoft\Windows\CurrentVersion\RunServices
> >
> > 4. It creates the following registry key:
> >
> > HKEY_LOCAL_MACHINE\Software\SirCam
> >
> > with the following values:
> > a.. FB1B - Stores the file name of the worm as stored in
> > the Recycled directory.
> > b.. FB1BA - Stores the SMTP IP address.
> > c.. FB1BB - Stores the email address of the sender.
> > d.. FC0 - Stores the number of times the worm has
executed.
> > e.. FC1 - Stores what appears to be the version number of
> > the worm.
> > f.. FD1 - Stores the file name of worm that has been
> > executed, without the suffix.
> > g.. FD3 - Stores a value corresponding to the current
> > state of
> the
> > worm.
> > h.. FD7 - Stores the number of mails that have been sent
> > prior
> to
> > any interruption of this process.
> >
> > 5. The (Default) value of the registry key
> >
> > HKEY_CLASSES_ROOT\exefile\shell\open\command
> >
> > is set to
> >
> > C:\recycled\sirc32.exe "%1" %*"
> >
> > This enables the worm to execute itself any time that an
> > .exe
file
> > is run.
> >
> > 6. The worm is network aware, and it will enumerate the
> > network resources to infect shared systems. If any are found, it
> > will do the
> > following:
> > a.. Attempt to copy itself to
<Computer>\Recycled\Sirc32.exe
> > b.. Add the line "@win \recycled\sirc32.exe" to the file
> > <Computer>\Autoexec.bat
> > c.. Copy <Computer>\Windows\Rundll32.exe to
> > <Computer>\Windows\Run32.exe
> > d.. Replace <Computer>\Windows\rundll32.exe with
> > C:\Recycled\Sirc32.exe
> >
> > 7. There is a 1 in 33 chance that the following actions will
> occur:
> > a.. The worm copies itself from C:\Recycled\Sirc32.exe to
> > %Windows%\Scmx32.exe
> > b.. The worm copies itself as "Microsoft Internet
> > Office.exe"
to
> > the folder referred to by the registry key:
> >
> > HKEY_CURRENT_USER\Software\Microsoft\
> > Windows\CurrentVersion\Explorer\
> > Shell Folders\Startup
> >
> > 8. There is a 1 in 20 chance that on October 16th of any
> > year,
the
> > worm will recursively delete all files and folders on the C drive.
> > This payload functions only on computers which use the date
format
> > D/M/Y (as opposed to M/D/Y or similar formats).
> >
> > Additionally, the payload will always activate immediately,
> > regardless of date and date format, if the file attached to the worm
> > contains the sequence "FA2" without the letters "sc" following
> immediately.
> >
> > 9. If this payload activates, the file
> > C:\Recycled\Sircam.sys is created and filled with text until there
> > is no remaining disk space. The text is one of two strings:
> > a.. [SirCam_2rp_Ein_NoC_Rma_CuiTzeO_MicH_MeX]
> > or
> > b.. [SirCam Version 1.0 Copyright ¬ 2000 2rP Made in /
> > Hecho
> en -
> > Cuitzeo, Michoacan Mexico]
> >
> > 10. The worm contains its own SMTP engine which is used for
> > the email routine. It obtains email addresses through two different
> > methods:
> >
> > a.. It searches the folders that are referred to by the
registry
> > keys
> >
> > HKEY_CURRENT_USER\Software\Microsoft\
> > Windows\CurrentVersion\Explorer\
> > Shell Folders\Cache
> >
> > and
> >
> > HKEY_CURRENT_USER\Software\Microsoft\
> > Windows\CurrentVersion\Explorer\
> > Shell Folders\Personal
> >
> > for sho*., get*., hot*., *.htm files, and copies email
addresses
> > from there into the file %system%\sc?1.dll
> >
> > where ? is a different letter for each location, as
> > follows:
> >
> > a.. scy1.dll: addresses from %cache%\sho*., hot*., get*.
> > b.. sch1.dll: addresses from %personal%\sho*., hot*.,
get*.
> > c.. sci1.dll: addresses from %cache%\*.htm
> > d.. sct1.dll: addresses from %personal%\*.htm
> >
> > b.. It searches %system% and all subfolders for *.wab (all
> Windows
> > Address Books) and copies addresses from there into
> > %system%\scw1.dll.
> >
> > 11. It searches the folders referred to by the registry
> > keys:
> >
> > HKEY_CURRENT_USER\Software\Microsoft\
> > Windows\CurrentVersion\Explorer\
> > Shell Folders\Personal
> >
> > and
> >
> > HKEY_CURRENT_USER\Software\Microsoft\
> > Windows\CurrentVersion\Explorer\
> > Shell Folders\Desktop
> >
> > for files of type .doc, .xls, and .zip, and stores the
> > filenames
> in
> > %system%\scd.dll. One of these files will be appended to the worm's
> original
> > executable and this new file will be sent as the email attachment.
> >
> > The From: email address and mail server are taken from the
> registry.
> > If no email account exists, then the current user name will be
> > prepended
> to
> > "prodigy.net.mx", eg if the current user logged on as JSmith, then
> > the address will be "[EMAIL PROTECTED]". Then the worm will
> > attempt to connect to a mail server. This will be either the mail
> > server taken from
> the
> > registry, or one of
> >
> > a.. prodigy.net.mx
> > b.. goeke.net
> > c.. enlace.net
> > d.. dobleclick.com.mx
> >
> > The language used for the mail depends on the language used
> > by
the
> > sender. If the sender uses Spanish, then the mail will be in
> > Spanish, otherwise it will be in English. The attachment is chosen
> > randomly from
> the
> > list of files in the scd.dll.
> >
> >
> >
> >
> > Removal instructions:
> >
> > SARC has created a tool to remove this worm.
> >
> > CAUTION:
> >
> > a.. In some cases, if you have had NAV quarantine or delete
> infected
> > files, you will not be able to run .exe files, however you will
> > still be able to run the removal tool.
> > b.. If you are using Windows Me, and a copy of the worm is
> detected
> > in the _Restore folder when running the tool, the tool cannot remove
> > it
> from
> > that folder, as it is protected by Windows. See the document Cannot
> repair,
> > quarantine, or delete a virus found in the _RESTORE folder, and then
> > run
> the
> > tool again.
> > c.. If you are on a network, or have a full time connection
> > to
the
> > Internet, disconnect the computer from the network and the Internet.
> Disable
> > or password protect file sharing before reconnecting computers to
> > the network or to the internet. Because this worm spreads by using
> > shared folders on networked computers, to ensure that the worm does
> > not
reinfect
> > the computer after it has been removed, Symantec suggests sharing
> > with read-only access or using password protection. For instructions
> > on how
to
> do
> > this, see your Windows documentation or the document How to
> > configure
> shared
> > Windows folders for maximum network protection.
> >
> > IMPORTANT: Do not skip this step. You must disconnect from
> > the network before attempting to remove this worm.
> >
> > d.. If a computer was infected more the once, as can happen
> > when using shared folders across a network, the Run32.exe file will
> > have been
> be
> > overwritten with an infected copy of the Rundll32.exe. If you see
> > more
> than
> > one entry of "@win \recycled\sirc32.exe" when performing the steps
> > in
the
> > section "To edit the Autoexec.bat file", do not attempt to rename
> > the
> file.
> > Instead, you must delete the Run32.exe and the Rundll32.exe files
> > and
then
> > extract an new copy of Rundll32.exe from a clean back up or from the
> Windows
> > installation CD. See your Windows documentation for information on
> > how
to
> do
> > this.
> >
> >
> > To obtain the W32.Sircam.Worm@mm removal tool, please click
> > here.
> >
> >
> > Manual Removal
> > If for any reason you cannot use or obtain the
> > W32.Sircam.Worm@mm removal tool, you must remove this worm manually.
> > To do this, you must:
> >
> > a.. Undo the change that it made to the registry key
> > HKEY_CLASSES_ROOT\exefile\shell\open\command
> > b.. Delete any files detected as W32.Sircam.Worm@mm.
> > c.. Use Windows Explorer to remove Sircam.sys (if it exists)
from
> > the Windows Recycle Bin.
> > d.. Remove the entry (if it exists) that the worm made to
> > the
file
> > Autoexec.bat, . (This will only be present if the worm has spread
> > across
a
> > network.)
> > e.. If the file \Windows\Run32.exe exists, rename it back to
> > \Windows\Rundll32.exe
> > See the sections that follow for detailed instructions.
> >
> > NOTE: If you are on a network, or have a full time connection
> > to
the
> > Internet, disconnect the computer from the network and the Internet.
> Follow
> > the removal procedure on all computers, including the server.
> > Disable or password protect file sharing before reconnecting
> > computers to the
network
> > or to the internet.
> >
> > CAUTION: Do not skip this step. You must disconnect from the
network
> > before attempting to remove this worm.
> >
> >
> > To edit the registry:
> > The worm modifies the registry such that an infected file is
> executed
> > every time that you run a .exe file. Follow these instructions to
> > fix
> this.
> >
> > Copy Regedit.exe to Regedit.com:
> > Because the worm modified the registry so that you cannot run
> > .exe files, you must first make a copy of the Registry Editor as a
> > file with
> the
> > .com extension, and then run that.
> >
> > 1. Do one of the following, depending on which operating
> > system
> you
> > are running:
> > a.. Windows 95/98 users: Click Start, point to Programs,
> > and
> click
> > MS-DOS Prompt.
> > b.. Windows ME users: Click Start, point to Programs,
> > point to Accessories, and then click MS-DOS Prompt.
> > c.. Windows NT/2000 users:
> > 1. Click Start, and click Run.
> > 2. Click Browse, and browse to the \Winnt folder.
> > 3. Double-click the Command.com file, and then click OK.
> >
> > 2. Type the following and then press Enter:
> >
> > copy regedit.exe regedit.com
> >
> > 3. Type the following and then press Enter:
> >
> > start regedit.com
> >
> > 1. Proceed to the section "To edit the registry and remove
> > keys
and
> > changes made by the worm" only after you have accomplished the
> > previous steps.
> >
> > NOTE: This will open the Registry Editor in front of the DOS
window.
> > After you finish editing the registry and have closed Registry
> > Editor,
> close
> > the DOS window.
> >
> > To edit the registry and remove keys and changes made by the
> > worm:
> >
> > CAUTION: We strongly recommend that you back up the system
registry
> > before making any changes. Incorrect changes to the registry can
> > result
in
> > permanent data loss or corrupted files. Please make sure you modify
> > only
> the
> > keys specified in this document. For more information about how to
> > back
up
> > the registry, please read How to back up the Windows registry before
> > proceeding with the following steps. If you are concerned that you
cannot
> > follow these steps correctly, then please do not proceed. Consult a
> computer
> > technician for more information.
> >
> > 1. Navigate to and select the following key:
> >
> > HKEY_CLASSES_ROOT\exefile\shell\open\command
> >
> > CAUTION: The HKEY_CLASSES_ROOT key contains many subkey
> > entries
> that
> > refer to other file extensions. One of these file extensions is
> > .exe. Changing this extension can prevent any files ending with an
> > .exe
> extension
> > from running. Make sure you browse all the way along this path until
> > you reach the \command subkey.
> > Do not modify the HKEY_CLASSES_ROOT\.exe key.
> > Do modify the HKEY_CLASSES_ROOT\exefile\shell\open\command
subkey
> > that is shown in the following figure:
> >
> >
> > <<=== NOTE: This is the key that you need to modify.
> >
> >
> > 2. Double-click the (Default) value in the right pane.
> > 3. Delete the current value data, and then type: "%1" %*
> > (That
is,
> > type the following characters:
> > quote-percent-one-quote-space-percent-asterisk.)
> >
> > NOTE: On Win9x and WinNT systems, the Registry Editor will
> > automatically enclose the value within quotation marks. When you
> > click
OK,
> > the (Default) value should look exactly like this: ""%1" %*" On
> > Win2k systems, the addtional quotation marks will not appear. On
> > Win2k
systems,
> > the (Default) value should look exactly like this: "%1" %*
> >
> > 4. Make sure you completely delete all value data in the
> > command
> key
> > prior to typing the correct data. If a space is left accidentally at
> > the beginning of the entry, any attempt to run program files will
> > result in
> the
> > error message, "Windows cannot find .exe." or "Cannot locate C:\
> > <path
and
> > file name>."
> > 5. Navigate to and select the following key:
> >
> > HKEY_LOCAL_MACHINE\Software\SirCam
> >
> > CAUTION: Make sure that you go all the way down to the
> > SirCam
key,
> > and that it is selected. It will look similar to the following
> > figure:
> >
> >
> >
> > 6. With the SirCam key selected, press Delete and then click
> > Yes
> to
> > confirm.. This will delete the key and all of its subkeys. Since
> > this
key
> > was created by the worm it can be safely deleted.
> > 7. Navigate to and select the following key:
> >
> > HKEY_LOCAL_MACHINE\Software\
> > Microsoft\Windows\CurrentVersion\RunServices
> >
> > 8. In the right pane, look for and select the value
> >
> > Driver32.
> >
> > 9. Press Delete, and then click Yes to confirm.
> >
> >
> > To remove the worm:
> > 1. Run LiveUpdate to make sure that you have the most recent
virus
> > definitions.
> > 2. Start Norton AntiVirus (NAV), and run a full system scan,
> making
> > sure that NAV is set to scan all files.
> > 3. Delete any files detected as W32.Sircam.Worm@mm.
> >
> > NOTE: If you are using Windows Me, and a copy of the worm is
> > detected in the _Restore folder, NAV cannot remove it from that
> > folder,
as
> > it is protected by Windows. See the document Cannot repair,
> > quarantine,
or
> > delete a virus found in the _RESTORE folder.
> >
> > To empty the Recycle Bin:
> > Because of the way that files are placed there in this case,
> > you cannot just click Empty Recycle Bin as you would with files that
> > are
> deleted
> > in the normal manner. Instead, use Windows Explorer to delete the
> > file C:\Recycled\Sircam.sys if it is present.
> >
> > To edit the Autoexec.bat file:
> > 1. Click Start, and click Run.
> > 2. Type the following, and then click OK.
> >
> > edit c:\autoexec.bat
> >
> > The MS-DOS Editor opens.
> >
> > 3. Remove the line "@win \recycled\sirc32.exe" if it is
> > present.
> >
> > CAUTION: If you see more then one entry of "@win
> > \recycled\sirc32.exe" in the Autoexec.bat file, it means that the
computer
> > was infected more the once. Because of this, the Run32.exe file will
have
> > been overwritten with an infected copy of the Rundll32.exe. As a
> > result,
> you
> > will not be able to rename the file to recover it as directed in the
next
> > section.
> >
> >
> > 4. Click File and then click Save.
> > 5. Exit the MS-DOS Editor
> >
> > To rename the Run32.exe file:
> > If this file exists, it should be renamed back to its original
name.
> >
> > CAUTION: If a computer was infected more the once, as can
> > happen
> when
> > using shared folders across a network, the Run32.exe file will have
> > been
> be
> > overwritten with an infected copy of the Rundll32.exe If you saw
> > more
than
> > one entry of "@win \recycled\sirc32.exe" when performing the steps
> > in
the
> > previous section, do not attempt to rename the file. Instead, you
> > must delete the Run32.exe and the Rundll32.exe files and then
> > extract an new
> copy
> > of Rundll32.exe from a clean back up or from the Windows
> > installation
CD.
> > See your Windows documentation for information on how to do this.
> >
> > 1. Click Start, point to Find or Search, and then click
> > Files or Folders.
> > 2. Make sure that "Look in" is set to (C:) and that Include
> > subfolders is checked.
> > 3. In the "Named" or "Search for..." box, type--or copy and
> > paste--the following file names:
> >
> > run32.exe
> >
> > 4. Click Find Now or Search Now.
> > 5. Right-click the Run32.exe file and then click Rename.
> > 6. Rename it to:
> >
> > rundll32.exe
> >
> > 7. Press Enter.
> >
> >
> >
> > Additional information:
> >
> > Configure Windows for maximum protection
> > Because this virus spreads by using shared folders on
> > networked computers, to ensure that the virus does not reinfect the
> > computer after
> it
> > has been removed, Symantec suggests sharing with read-only access or
using
> > password protection. For instructions on how to do this, see your
Windows
> > documentation or the document How to configure shared Windows
> > folders
for
> > maximum network protection.
> >
> >
> >
> >
> >
> > Write-up by: Peter Ferrie and Peter Szor
> >
> >
> >
> >
> >
>
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
