about SirCam worm:
is a mass mailing worm uses e-mail
addresses stored in Windows Address book
and also collects addresses from
temporary Internet folder to distribute
infected messages. SirCam is also network
aware worm. It searches for network
shares and infects them too. SirCam worm
is also known as W32.SirCam.Worm,
W32.SirCam or TROJ SirCam.A.
arrives as an e-mail attachment, message
subject and body varies randomly. The
message body first and last line will be
the same. The worm will contain two
extensions, first will be DOC, XLS, ZIP
and EXE and the second extension selected
from PIF, LNK, BAT or COM. The mail
subject and body will be in English
Line: Hi! How are you?
Last Line: See you later.
When sending the
infected message, the worm will append a
file from the local system to disguise
the user. The attached infected file will
contain double extension like
secret.doc.pif, compress.zip.bat. It
will e-mail the infected files using its
own SMTP engine.
If the infected
e-mail attachment is executed, the worm
code executed first. It copies itself to
the file SCam32.exe in the windows
folder. The worm also drops Sirc32.exe in
the Recycle bin with hidden attribute.
After that it activates the corresponding
application. The worm is loaded
automatically by changing the following
keys in the registry.
Then it searches
for network share, if found it copies to
RUNDLL32.EXE file. The original
RUNDLL32.EXE file is renamed to
RUN32.EXE. It also adds the entry @win
\recycled\SirC32.exe in the AUTOEXEC.BAT
to load it on the next startup.
contains destructive payloads. When the
payload is activated SirCam will
delete all files and directories.
When sending infected attachments, it
distributes files from the system. So the
infected user may loose confidential
Sircam Worm from your system:
incorporated I-Worm/SirCam its signature
file, with the aim of helping users
affected by this Worm attack to detect
and eliminate it from their systems. Fire
anti-virus users can update this
signature file by using online
update facility. It is available
with the registered version of Fire
can check the system manually.
I-Worm/SirCam creates the file "SIRC32.EXE"
in Recycled folder.
The presence of this file ensures you are
infected with this worm.
Worm changes registry keys when infecting
the machine and it should be fixed before
deleting the main worm file "SIRC32.EXE"
stored in Recycled folder. A
version is also available to detect all
viruses including SirCam worm. If you
find this worm, use registered version of
Fire to remove. Fire anti-virus
kit provides perfect cure for SirCam
worm. To get the registered
version of Fire call us at 044-28170440 or mail to email@example.com
purchase Fire online using
Mr.Ramesh, Mr. Surend Raj, Prognet
Technologies Pvt. Ltd, July 2001]