Return To Home Page Search Fire Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info Prognet Privacy Statement

Click here to view product details, fire framework, screen shots, Y2K statement, etc.Download fire evaluation copy, updates, upgrades, user manual, free utils and lot more.Customers can enjoy technical support, security tips, FAQ, free virus alert mail, etc. Online ordering, renewal form and upgrade details.Resellers, dealers and distributors can enter here.Click here to view latest virus alerts, virus information center, virus calendar, etc.Latest news and other press releases.About Prognet Technologies Pvt. Ltd, technical team, clients, events and lot more.

 

SirCam Worm

Information about SirCam worm:

                     SirCam is a mass mailing worm uses e-mail addresses stored in Windows Address book and also collects addresses from temporary Internet folder to distribute infected messages. SirCam is also network aware worm. It searches for network shares and infects them too. SirCam worm is also known as W32.SirCam.Worm, W32.SirCam or TROJ SirCam.A.

                     SirCam arrives as an e-mail attachment, message subject and body varies randomly. The message body first and last line will be the same. The worm will contain two extensions, first will be DOC, XLS, ZIP and EXE and the second extension selected randomly from PIF, LNK, BAT or COM. The mail subject and body will be in English or Spanish.

First Line: Hi! How are you?
Last Line:
  See you later. Thanks 

                     When sending the infected message, the worm will append a file from the local system to disguise the user. The attached infected file will contain double extension like secret.doc.pif, compress.zip.bat. It will e-mail the infected files using its own SMTP engine.

                     If the infected e-mail attachment is executed, the worm code executed first. It copies itself to the file SCam32.exe in the windows folder. The worm also drops Sirc32.exe in the Recycle bin with hidden attribute. After that it activates the corresponding application. The worm is loaded automatically by changing the following keys in the registry.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunSevices\Driver32

HKEY_CLASSES_ROOT\exefile\shell\open\command

                     Then it searches for network share, if found it copies to RUNDLL32.EXE file. The original RUNDLL32.EXE file is renamed to RUN32.EXE. It also adds the entry @win \recycled\SirC32.exe in the AUTOEXEC.BAT to load it on the next startup.

                     SirCam worm contains destructive payloads. When the payload is activated SirCam will delete all files and directories. When sending infected attachments, it distributes files from the system. So the infected user may loose confidential information.

Removing Sircam Worm from your system:

                   Fire has incorporated I-Worm/SirCam its signature file, with the aim of helping users affected by this Worm attack to detect and eliminate it from their systems. Fire anti-virus users can update this signature file by using online update facility. It is available with the registered version of Fire anti-virus Kit.

                   You can check the system manually. I-Worm/SirCam creates the file "SIRC32.EXE" in Recycled folder. The presence of this file ensures you are infected with this worm.

                   SirCam Worm changes registry keys when infecting the machine and it should be fixed before deleting the main worm file "SIRC32.EXE" stored in Recycled folder. A free download of FireLite [ 1100KB] version is also available to detect all viruses including SirCam worm. If you find this worm, use registered version of Fire to remove. Fire anti-virus kit provides perfect cure for SirCam worm. To get the registered version of Fire call us at 044-28170440 or mail to service@fireav.com or purchase Fire online using

[Analysis: Mr.Ramesh, Mr. Surend Raj, Prognet Technologies Pvt. Ltd, July 2001]

Go to top of the page

.