Maa mamak,Mak Sjamsir jo sanak sadonyo, Mail nan ditarimo Mamak ambo tu iyo virus tu mah, ambo juo babarapo kali manarimo dari pengirim dan subject yang babeda, tapi isinyo tatap samo, Hi! How are you? I send you this file in order to have your advice See you later. Kudian ambo dapek balasan dari urang basangkutan, iko ambo kopikan : -----Original Message----- From: Hendry Agus [mailto:[EMAIL PROTECTED]] Sent: Monday, July 23, 2001 7:11 AM To: Elthaf Subject: virus Dear friends, My computer was recently infected by a virus called WIN32 HOAX - SIRCAM A. This particular virus will send an e-mail to random address with a random attachment taken from "my documents" folder. This virus is actually smart enough to check your e-mail list while you're using web based e-mail. You may or may not be a friend of mine, and just happens to be unfortunate to receive the e-mail. I suffered this same headache because I received an e-mail from a friend, and didn't realize it till another week. So, I'm terribly sorry for any trouble I cause. Sincerely, Hendry Agus -----Original Message----- From: Erizal Syamsir [mailto:[EMAIL PROTECTED]] Sent: Saturday, July 28, 2001 4:59 PM To: '[EMAIL PROTECTED]' Subject: [RantauNet] Info. Assalamu'alaikum WW, Kalau ado nan manarimo pasan sarupo iko: Hi! How are you? I send you this file in order to have your advice See you later. Tolong dihapuih sajo karano sajak 4 hari balakangan ko ambo alah acok manarimo. Pado mulonyo ambo indak tau, tapi setelah diagaiah tau Uda ambo nan di Banuanet@ mako ikolah salah satu virus. Jadi indak Ni Ben bagai tu nan mangirim ka Mak Sati. Wass, Erizal Syamsir -----Original Message----- From: Sjamsir Alam [mailto:[EMAIL PROTECTED]] Sent: Saturday, July 28, 2001 3:28 PM To: RANTAUNET Subject: [RantauNet] ULEK BULU Ma sagalo adidunsanak jo anak kamanakan di lapau, Sabanta ko ambo manarimo posting dari milis berita Krikil tantang ulek bulu nan babahayo. Kapatang ambo manarimo posting (sa-olah-olah) dari Ben barasiah co nan dicaritoan posting dari Krikil tu dan lansuang ambo baleh. Tapi indak ado balasan dari Ben. Basamo-samo jo posting iko, ambo agiah tau Ben jo alamaik imel nan batua. Yakin bana ambo komputer kamanakan ambo ko lah jadi sarang ulek bulu ko. Ko kopi bunyi posting nan ambo tarimo dari Ben tu: =================================== ----- Original Message ----- From: "Nurbaini" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, July 26, 2001 2:44 PM Subject: Ben-Uni Dar2 Hi! How are you? I send you this file in order to have your advice See you later. Thanks ====================================================== Ado file attachment nan tantu se indak ambo bukak. Sasudah ambo reply lansuang ambo tindek abih-abih sambai ka folder "deleted item". Di bawah ko ambo kopikan pulo posting Krikil nan ambo tarimo sabanta ko. Sasuai sangaik jo bunyi posting palasu dari Ben tu. Cubolah baco. ======================================================= ------------------------ Yahoo! Groups Sponsor ---------------------~--> Small business owners... Tell us what you think! http://us.click.yahoo.com/vO1FAB/txzCAA/ySSFAA/IYOolB/TM ---------------------------------------------------------------------~-> Contoh message yang mengandung virus ini ada di bawah (setelah --------- ) Virus Pintar SirCam, Sebar Dokumen Pribadi Lewat Email Reporter: Iwan Arif detikcom - Jakarta,W32/SirCam.Worm@mm worm telah menyebar sampai ke Asia Pasifik, tidak terkecuali Indonesia. Demikian laporan perusahaan anti virus Symantec, Sabtu (21/7/2001). Virus worm ini menyatukan dirinya pada sebuah dokumen Microsoft Word yang diambil secara acak dari komputer korban. Setelah itu, gabungan virus dan dokumen acak tersebut akan dikirim ke seluruh alamat email yang terdapat di adress book Outlook tanpa sepengetahuan korban. Menurut Symantec, selain mampu membeberkan dokumen-dokumen rahasia yang penting, virus ini juga memiliki kemampuan menghapus beberapa file dan melemahkan kinerja PC. Jika Anda sempat terinfeksi dengan virus ini, sebaiknya cepat-cepat membersihkan komputer. Pasalnya, pada tanggal 16 Oktober, virus ini diyakini memiliki agenda khusus, seperti koneksi internet (upload dan download) misterius dengan aktifitas berbahaya lainnya. Menurut konsultan security komputer, ada kemungkinan 1:20 virus ini mampu menghapus seluruh file pada direktory hard disk anda. Lalu ada juga kemungkinan 1:33 virus ini akan mengisi tempat kosong pada hardisk dengan menambahkan text pada c:\recycled\sircam.sys setiap kali anda melakukan start-up. Tidak dijelaskan secara mendetail mengapa aktifitas khusus virus ini memakai sistem perbandingan. Sayangnya, virus sulit dideteksi jika hanya dilihat dari fisik pesan email. Subject line dapat berbeda-beda tergantung judul file dokumen word apa yang berhasil dicuri dari komputer pengirim yang menjadi korban sebelumnya. Bisa saja anda mendapapatkan email berjudul laporan_keuangan_medan, skripsi, atau apa saja. Menipu bukan? Ada baiknya segera mendownload update antivirus jika komputer anda dirasa belum dapat mendeteksi keberadaan virus ini. Symantec menjelaskan bahwa setelah virus ini dilaporkan beraksi, server mereka mengalami peningkatan traffict download untuk update antivirus. Symantec bahkan menaikkan tingkat bahaya virus dari level 3 menjadi level 4, karena perkembangan penyebaran yang cukup mengkhawatirkan.(iam) ----------------------------------------------------- Hi! How are you? I send you this file in order to have your advice See you later. Thanks ----------------------------------------------------- di message aslinya ada attachement file excel atau ms word, dan extentionnya kadang berubah, mis : satu.xls >>> satu.xls.pif jika menerima e-mail dg. message spt di atas (dari siapapun, termasuk teman yang sudah sangat dikenal), jangan pernah dibuka attachementnya. untuk lebih amannya langsung delete saja, dan kalau bisa kasih tau si pengirim kalau virusnya terinveksi virus. http:[EMAIL PROTECTED] W32.Sircam.Worm@mm Discovered on: July 17, 2001 Last Updated on: July 25, 2001 at 07:10:42 AM PDT Due to an increased rate of virus submissions, The Symantec AntiVirus Research Center (SARC) has upgraded W32.Sircam.Worm@mm from a level 3 to a level 4 virus threat. W32.Sircam.Worm@mm contains its own SMTP engine, and propagates in a manner similar to the W32.Magistr.Worm. Due to what appears to be a bug, this worm does not replicate under Windows NT or 2000. SARC has created a tool to remove this worm. CAUTION: In some cases, if you have had NAV quarantine or delete infected files, you will not be able to run .exe files, however you will still be able to run the removal tool. To obtain the W32.Sircam.Worm@mm removal tool, please click here: http:[EMAIL PROTECTED] tml Also Known As: W32/SirCam@mm, Backdoor.SirCam Type: Worm Virus Definitions: July 17, 2001 Threat Assessment: Wild: High Damage: Medium Distribution: High Wild: Number of infections: More than 1000 Number of sites: More than 10 Geographical distribution: Medium Threat containment: Moderate Removal: Moderate Damage: Payload Trigger: 1) October 16th, or some attached file contents, triggers file deletion payload. 2) If the file deletion occured, or after 8000 executions, triggers the space filler payload. Payload: Large scale e-mailing: The worm appends a random document from the infected PC to itself and sends this new file via email Deletes files: 1 in 20 chance of deleting all files and directories on C:. Only occurs on systems where the date is October 16 and which are using D/M/Y as the date format. Always occurs if attached file contains "FS2" not followed by "sc". Degrades performance: 1 in 50 chance of filling all remaining space on the C: drive by adding text to the file c:\recycled\sircam.sys Releases confidential info: It will export a random document from the hard drive by appending it to the body of the worm Distribution: Subject of email: Random subject - the filename of the attachment Name of attachment: A file from the sender's computer with the extension .bat, .com, .lnk, or .pif added to it. Size of attachment: at least 134kb long Shared drives: searchs for shared drives and copies itself to those it finds Technical description: This worm arrives as an email message with the following content: Subject: The subject of the email will be random, and will be the same as the file name of the email attachment. Attachment: The attachment is a file taken from the sender's computer and will have the extension .bat, .com, .lnk or .pif added to it. Message: The message body will be semi-random, but will always contain one of the following two lines (either English or Spanish) as the first and last sentences of the message. Spanish Version: First line: Hola como estas ? Last line: Nos vemos pronto, gracias. English Version: First line: Hi! How are you? Last line: See you later. Thanks Between these two sentences, some of the following text may appear: Spanish Version: Te mando este archivo para que me des tu punto de vista Espero me puedas ayudar con el archivo que te mando Espero te guste este archivo que te mando Este es el archivo con la informaci=n que me pediste English Version: I send you this file in order to have your advice I hope you can help me with this file that I send I hope you like the file that I sendo you This is the file with the information that you ask for When run, the worm performs the following actions: 1. It creates copies of itself as %TEMP%\<File name> and C:\Recycled\<file name>, which contain the attached document. This document is then run using the program registered to handle the specific file type. For example, if it is saved as a file with the .doc extension, it will run using Microsoft Word or Wordpad. A file with the .xls extension will open in Excel, and one with the .zip extension will open in your default zip program, such as WinZip. NOTE: The term %TEMP% is the Temp variable, and means that the worm will save itself to the Windows Temp folder, whatever its location. The default is C:\Windows\Temp. 2. It copies itself to C:\Recycled\Sirc32.exe and %System%\Scam32.exe. NOTE: %System% is also a variable. The worm will locate the \System folder (by default this is C:\Windows\System) and copy itself to that location. 3. It adds the value Driver32=%System%\scam32.exe to the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\RunServices 4. It creates the following registry key: HKEY_LOCAL_MACHINE\Software\SirCam with the following values: FB1B - Stores the file name of the worm as stored in the Recycled directory. FB1BA - Stores the SMTP IP address. FB1BB - Stores the email address of the sender. FC0 - Stores the number of times the worm has executed. FC1 - Stores what appears to be the version number of the worm. FD1 - Stores the file name of worm that has been executed, without the suffix. 5. The (Default) value of the registry key HKEY_CLASSES_ROOT\exefile\shell\open\command is set to C:\recycled\sirc32.exe "%1" %*" This enables the worm to execute itself any time that an .exe file is run. 6. The worm is network aware, and it will enumerate the network resources to infect shared systems. If any are found, it will do the following: Attempt to copy itself to <Computer>\Recycled\Sirc32.exe Add the line "@win \recycled\sirc32.exe" to the file <Computer>\Autoexec.bat Copy <Computer>\Windows\Rundll32.exe to <Computer>\Windows\Run32.exe Replace <Computer>\Windows\rundll32.exe with C:\Recycled\Sirc32.exe 7. There is a 1 in 33 chance that the following actions will occur: The worm copies itself from C:\Recycled\Sirc32.exe to %Windows%\Scmx32.exe The worm copies itself as "Microsoft Internet Office.exe" to the folder referred to by the registry key: HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Explorer\ Shell Folders\Startup 8. There is a 1 in 20 chance that on October 16th of any year, the worm will recursively delete all files and folders on the C drive. This payload functions only on computers which use the date format D/M/Y (as opposed to M/D/Y or similar formats). Additionally, the payload will always activate immediately, regardless of date and date format, if the file attached to the worm contains the sequence "FA2" without the letters "sc" following immediately. 9. If this payload activates, the file C:\Recycled\Sircam.sys is created and filled with text until there is no remaining disk space. The text is one of two strings: [SirCam_2rp_Ein_NoC_Rma_CuiTzeO_MicH_MeX] or [SirCam Version 1.0 Copyright ¬ 2000 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico] 10. The worm contains its own SMTP engine which is used for the email routine. It obtains email addresses through two different methods: It searches the folders that are referred to by the registry keys HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Explorer\ Shell Folders\Cache and HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Explorer\ Shell Folders\Personal for sho*., get*., hot*., *.htm files, and copies email addresses from there into the file %system%\sc?1.dll where ? is a different letter for each location, as follows: scy1.dll: addresses from %cache%\sho*., hot*., get*. sch1.dll: addresses from %personal%\sho*., hot*., get*. sci1.dll: addresses from %cache%\*.htm sct1.dll: addresses from %personal%\*.htm It searches %system% and all subfolders for *.wab (all Windows Address Books) and copies addresses from there into %system%\scw1.dll. 11. It searches the folders referred to by the registry keys: HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Explorer\ Shell Folders\Personal and HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Explorer\ Shell Folders\Desktop for files of type .doc, .xls, and .zip, and stores the filenames in %system%\scd.dll. One of these files will be appended to the worm's original executable and this new file will be sent as the email attachment. The From: email address and mail server are taken from the registry. If no email account exists, then the current user name will be prepended to "prodigy.net.mx", eg if the current user logged on as JSmith, then the address will be "[EMAIL PROTECTED]". Then the worm will attempt to connect to a mail server. This will be either the mail server taken from the registry, or one of prodigy.net.mx goeke.net enlace.net dobleclick.com.mx The language used for the mail depends on the language used by the sender. If the sender uses Spanish, then the mail will be in Spanish, otherwise it will be in English. The attachment is chosen randomly from the list of files in the scd.dll. Removal instructions: SARC has created a tool to remove this worm. CAUTION: In some cases, if you have had NAV quarantine or delete infected files, you will not be able to run .exe files, however you will still be able to run the removal tool. If you are using Windows Me, and a copy of the worm is detected in the _Restore folder when running the tool, the tool cannot remove it from that folder, as it is protected by Windows. See the document Cannot repair, quarantine, or delete a virus found in the _RESTORE folder, and then run the tool again. To obtain the W32.Sircam.Worm@mm removal tool, please click here: http:[EMAIL PROTECTED] tml Manual Removal If for any reason you cannot use or obtain the W32.Sircam.Worm@mm removal tool, you must remove this worm manually. To do this, you must: Undo the change that it made to the registry key HKEY_CLASSES_ROOT\exefile\shell\open\command Delete any files detected as W32.Sircam.Worm@mm. Use Windows Explorer to remove Sircam.sys (if it exists) from the Windows Recycle Bin. Remove the entry (if it exists) that the worm made to the file Autoexec.bat, . (This will only be present if the worm has spread across a network.) See the sections that follow for detailed instructions. NOTE: If you are on a network, or have a full time connection to the Internet, disconnect the computer from the network and the Internet. Follow the removal procedure on all computers, including the server. Disable or password protect file sharing before reconnecting computers to the network or to the internet. To edit the registry: The worm modifies the registry such that an infected file is executed every time that you run a .exe file. Follow these instructions to fix this. Copy Regedit.exe to Regedit.com: Because the worm modified the registry so that you cannot run .exe files, you must first make a copy of the Registry Editor as a file with the .com extension, and then run that. 1. Do one of the following, depending on which operating system you are running: Windows 95/98 users: Click Start, point to Programs, and click MS-DOS Prompt. Windows ME users: Click Start, point to Programs, point to Accessories, and then click MS-DOS Prompt. Windows NT/2000 users: 1. Click Start, and click Run. 2. Click Browse, and browse to the \Winnt folder. 3. Double-click the Command.com file, and then click OK. 2. Type the following and then press Enter: copy regedit.exe regedit.com 3. Type the following and then press Enter: start regedit.com 1. Proceed to the section "To edit the registry and remove keys and changes made by the worm" only after you have accomplished the previous steps. NOTE: This will open the Registry Editor in front of the DOS window. After you finish editing the registry and have closed Registry Editor, close the DOS window. To edit the registry and remove keys and changes made by the worm: CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry can result in permanent data loss or corrupted files. Please make sure you modify only the keys specified in this document. For more information about how to back up the registry, please read How to back up the Windows registry before proceeding with the following steps. If you are concerned that you cannot follow these steps correctly, then please do not proceed. Consult a computer technician for more information. 1. Navigate to and select the following key: HKEY_CLASSES_ROOT\exefile\shell\open\command CAUTION: The HKEY_CLASSES_ROOT key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with an .exe extension from running. Make sure you browse all the way along this path until you reach the \command subkey. Do not modify the HKEY_CLASSES_ROOT\.exe key. Do modify the HKEY_CLASSES_ROOT\exefile\shell\open\command subkey that is shown in the following figure: <<=== NOTE: This is the key that you need to modify. 2. Double-click the (Default) value in the right pane. 3. Delete the current value data, and then type: "%1" %* (That is, type the following characters: quote-percent-one-quote-space-percent-asterisk.) NOTE: The Registry Editor will automatically enclose the value within quotation marks. When you click OK, the (Default) value should look exactly like this: ""%1" %*" 4. Make sure you completely delete all value data in the command key prior to typing the correct data. If a space is left accidentally at the beginning of the entry, any attempt to run program files will result in the error message, "Windows cannot find .exe." or "Cannot locate C:\ <path and file name>." 5. Navigate to and select the following key: HKEY_LOCAL_MACHINE\Software\SirCam CAUTION: Make sure that you go all the way down to the SirCam key, and that it is selected. It will look similar to the following figure: 6. With the SirCam key selected, press Delete and then click Yes to confirm.. This will delete the key and all of its subkeys. Since this key was created by the worm it can be safely deleted. 7. Navigate to and select the following key: HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows\CurrentVersion\RunServices 8. In the right pane, look for and select the value Driver32. 9. Press Delete, and then click Yes to confirm. To remove the worm: 1. Run LiveUpdate to make sure that you have the most recent virus definitions. 2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files. 3. Delete any files detected as W32.Sircam.Worm@mm. NOTE: If you are using Windows Me, and a copy of the worm is detected in the _Restore folder, NAV cannot remove it from that folder, as it is protected by Windows. See the document Cannot repair, quarantine, or delete a virus found in the _RESTORE folder. To empty the Recycle Bin: Because of the way that files are placed there in this case, you cannot just click Empty Recycle Bin as you would with files that are deleted in the normal manner. Instead, use Windows Explorer to delete the file C:\Recycled\Sircam.sys if it is present. To edit the Autoexec.bat file: 1. Click Start, and click Run. 2. Type the following, and then click OK. edit c:\autoexec.bat The MS-DOS Editor opens. 3. Remove the line "@win \recycled\sirc32.exe" if it is present. 4. Click File and then click Save. 5. Exit the MS-DOS Editor Additional information: Configure Windows for maximum protection Because this virus spreads by using shared folders on networked computers, to ensure that the virus does not reinfect the computer after it has been removed, Symantec suggests sharing with read-only access or using password protection. For instructions on how to do this, see your Windows documentation or the document How to configure shared Windows folders for maximum network protection. Write-up by: Peter Ferrie and Peter Szor RantauNet http://www.rantaunet.com Isikan data keanggotaan anda di http://www.rantaunet.com/register.php3 =============================================== Mendaftar atau berhenti menerima RantauNet Mailing List di http://www.rantaunet.com/subscribe.php3 ATAU Kirimkan email Ke/To: [EMAIL PROTECTED] Isi email/Messages, ketik pada baris/kolom pertama: -mendaftar--> subscribe rantau-net [email_anda] -berhenti----> unsubscribe rantau-net [email_anda] Keterangan: [email_anda] = isikan alamat email anda tanpa tanda kurung =============================================== RantauNet http://www.rantaunet.com Isikan data keanggotaan anda di http://www.rantaunet.com/register.php3 =============================================== Mendaftar atau berhenti menerima RantauNet Mailing List di http://www.rantaunet.com/subscribe.php3 ATAU Kirimkan email Ke/To: [EMAIL PROTECTED] Isi email/Messages, ketik pada baris/kolom pertama: -mendaftar--> subscribe rantau-net [email_anda] -berhenti----> unsubscribe rantau-net [email_anda] Keterangan: [email_anda] = isikan alamat email anda tanpa tanda kurung =============================================== RantauNet http://www.rantaunet.com Isikan data keanggotaan anda di http://www.rantaunet.com/register.php3 =============================================== Mendaftar atau berhenti menerima RantauNet Mailing List di http://www.rantaunet.com/subscribe.php3 ATAU Kirimkan email Ke/To: [EMAIL PROTECTED] Isi email/Messages, ketik pada baris/kolom pertama: -mendaftar--> subscribe rantau-net [email_anda] -berhenti----> unsubscribe rantau-net [email_anda] Keterangan: [email_anda] = isikan alamat email anda tanpa tanda kurung ===============================================