NetPlus Communications      W32.Sircam.Worm @mm Virus

Level 4
Discovered on: July 17, 2001
Last Updated on: July 23, 2001 at 09:51:57 AM PDT

SARC has upgraded the threat level of W32.Sircam.Worm@mm from 3 to 4, due to its increased rate of submissions.
W32.Sircam.Worm@mm contains its own SMTP engine, and propagates in a manner similar to the W32.Magistr.Worm.

Click here to download the W32.Sircam.Worm@mm Removal Tool.

Also Known As: W32/SirCam@mm, Backdoor.SirCam

Category: Worm

Virus Definitions: July 17, 2001

Threat Assessment:

 
High Medium High
Wild:
High		 Damage:
Medium		 Distribution:
High

Wild:

Damage:

  • Payload Trigger: October 16th - this applies only to the payload which deletes files.
  • Payload:
    • Large scale e-mailing: The worm appends a random document from the infected PC to itself and sends this new file via email
    • Deletes files: 1 in 20 chance of deleting all files and directories on C:. Only occurs on systems using D/M/Y as the date format
    • Degrades performance: 1 in 33 chance of filling all remaining space on the hard disk by adding text to the file c:\recycled\sircam.sys at each startup
    • Releases confidential info: It will export a random document from the hard drive by appending it to the body of the worm

Distribution:

  • Subject of email: Random subject. In some cases it will be the filename of the attachment
  • Name of attachment: A file from the sender's computer with the extension .bat, .com, .lnk, or .pif added to it.
  • Shared drives: searchs for shared drives and copies itself to those it finds

 

Technical description:

This worm arrives as an email message with the following content:

Subject: The subject of the email will be random, and could be the same as the file name of the attachment in the email.
Attachment: The attachment will be a file taken from the sender's computer and will have the extension .bat, .com, .lnk or .pif added to it.
Message: The message body will be semi-random, but will always contain one of the following two lines (either English or Spanish) as the first and last sentences of the message.

Spanish Version:
First line: Hola como estas ?
Last line: Nos vemos pronto, gracias.

English Version:
First line: Hi! How are you?
Last line: See you later. Thanks

Between these two sentences, some of the following text may appear:

Spanish Version:
Te mando este archivo para que me des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es el archivo con la informaci=n que me pediste

English Version:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I sendo you
This is the file with the information that you ask for

When executed, the worm performs the following actions:

    1. It creates copies of itself as %TEMP%\<File name> and C:\Recycled\<file name>, which contain the attached document. This document is then launched using the program registered to handle the specific file type (For example, if it is saved as a file with the .doc extension, it will run using Microsoft Word or Wordpad. A file with the .xls extension will open in Excel, and one with the .zip extension will open in your default zip program such as WinZip.)

    NOTE: The term %TEMP% is the Temp variable, and means that the worm will save itself to the Windows Temp folder, whatever its location. The default is C:\Windows\Temp.

    2. It copies itself to C:\Recycled\Sirc32.exe and %System%\Scam32.exe.

    NOTE: %System% is also a variable. The worm will locate the \System folder (by default this is C:\Windows\System) and copy itself to that location.

    3. It adds the value

    Driver32=%System%\scam32.exe

    to the registry key

    HKEY_LOCAL_MACHINE\SOFTWARE\
    Microsoft\Windows\CurrentVersion\RunServices

    4. It creates the registry key

    HKEY_LOCAL_MACHINE\Software\SirCam

    with the following values:
    • FB1B - Stores the file name of the worm as stored in the Recycled directory.
    • FB1BA - Stores the SMTP IP address.
    • FB1BB - Stores the email address of the sender.
    • FC0 - Stores the number of times the worm has executed.
    • FC1 - Stores what appears to be the version number of the worm.
    • FD1 - Stores the file name of worm that has been executed, without the suffix.
    5. The (Default) value of the registry key

    HKEY_CLASSES_ROOT\exefile\shell\open\command

    is set to

    C:\recycled\sirc32.exe "%1" %*"

    This enables the worm to execute itself any time that an .exe file is run.

    6. The worm is network aware, and it will enumerate the network resources to infect shared systems. If any are found, it will do the following:
    • Attempt to copy itself to <Computer>\Recycled\Sirc32.exe
    • Add the line "@win \recycled\sirc32.exe" to the file <Computer>\Autoexec.bat
    • Copy <Computer>\Windows\Rundll32.exe to <Computer>\Windows\Run32.exe
    • Replace <Computer>\Windows\rundll32.exe with C:\Recycled\Sirc32.exe
    7. There is a 1 in 33 chance that the following actions will occur:
    • The worm copies itself from C:\Recycled\Sirc32.exe to %Windows%\Scmx32.exe
    • The worm copies itself as "Microsoft Internet Office.exe" to the folder referred to by the registry key

      HKEY_CURRENT_USER\Software\Microsoft\
      Windows\CurrentVersion\Explorer\
      Shell Folders\Startup
    8. If this first payload activates, the file C:\recycled\Sircam.sys is created and filled with text until there is no remaining disk space. The text is one of two strings:
    • [SirCam_2rp_Ein_NoC_Rma_CuiTzeO_MicH_MeX]
      or
    • [SirCam Version 1.0 Copyright ¬ 2000 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico]
    9. There is a 1 in 20 chance that on October 16th of any year, the worm will recursively delete all files and folders on the C drive:

    This payload functions only on computers which use the date format D/M/Y (as opposed to M/D/Y or similar formats).

    10. The worm contains its own SMTP server which is used for the email routine. It obtains email addresses through two different methods:
    • It searches the folder that is referred to by the registry key

      HKEY_CURRENT_USER\Software\Microsoft\
      Windows\CurrentVersion\Explorer\
      Shell Folders\Startup\Cache

      for sho*., get*., hot*., *.htm files, and copies email addresses from there into the file %Windows%\sc??.dll (where ? is a random letter and number).
    • It searches the entire drive for *.wab (all Windows Address Books) and copies addresses from there.
    11. It searches the folders referred to by the registry keys

    HKEY_CURRENT_USER\Software\Microsoft\
    Windows\CurrentVersion\Explorer\
    Shell Folders\Startup\Personal

    and

    HKEY_CURRENT_USER\Software\Microsoft\
    Windows\CurrentVersion\Explorer\
    Shell Folders\Startup\Desktop

    for files of type .doc, .xls, .zip, and .exe. If it finds a match, the corresponding file will be appended to the worm's original executable and this new file will be sent as the email attachment.

    12. After 8000 executions, the worm will stop running.

 

Removal instructions:

To automatically remove this worm, click here.

To remove this worm manually, you must:

  • Delete any files detected as W32.Sircam.Worm@mm.
  • Empty the Recycle bin to delete Sircam.sys (if it exists).
  • Remove the entry that it made to the Autoexec.bat file
  • Revert the change that it made to the registry key HKEY_CLASSES_ROOT\exefile\shell\open\command

See the sections that follow for detailed instructions.

NOTE: If you are on a network, or have a full time connection to the Internet, disconnect the computer from the network and the Internet. Follow the removal procedure on all computers, including the server. Disable or password protect file sharing before reconnecting computers to the network or to the internet.


To remove the worm:
    1. Run LiveUpdate to make sure that you have the most recent virus definitions.
    2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
    3. Delete any files detected as W32.Sircam.Worm@mm.]

To empty the Recycle Bin:
Right-click on the Recycle Bin and then click Empty Recycle Bin. You can also use Windows Explorer to delete the file C:\recycled\Sircam.sys if it is present.

To edit the Autoexec.bat file:
    1. Click Start, and click Run.
    2. Type the following, and then click OK.

    edit c:\autoexec.bat

    The MS-DOS Editor opens.

    3. Remove the line "@win \recycled\sirc32.exe" if it is present.
    4. Click File and then click Save.
    5. Exit the MS-DOS Editor



To edit the registry:
The worm modifies the registry such that an infected file is executed every time that you to run a .exe file. Follow these instructions to fix this.


Copy Regedit.exe to Regedit.com:
    1. Do one of the following, depending on which operating system you are running:
    • Windows 95/98 users: Click Start, point to Programs, and click MS-DOS Prompt.
    • Windows NT/2000 users:
        1. Click Start, and click Run.
        2. Click Browse, and browse to the \Winnt folder.
        3. Double-click the Command.com file, and then click OK.
1. Type copy regedit.exe regedit.com and press Enter.
2. Type start regedit.com and press Enter.
3. Proceed to the section "To edit the registry and remove keys and changes made by the worm" only after you have accomplished the previous steps.

NOTE: This will open Registry Editor in front of the DOS window. After you finish editing the registry and have closed Registry Editor, close the DOS window.

To edit the registry and remove keys and changes made by the worm:

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry can result in permanent data loss or corrupted files. Please make sure you modify only the keys specified in this document. For more information about how to back up the registry, please read How to back up the Windows registry before proceeding with the following steps. If you are concerned that you cannot follow these steps correctly, then please do not proceed. Consult a computer technician for more information.
    1. Navigate to and select the following key:

    HKEY_CLASSES_ROOT\exefile\shell\open\command

    CAUTION: The HKEY_CLASSES_ROOT key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with an .exe extension from running. Make sure you browse all the way along this path until you reach the \command subkey.
    Do not         modify the HKEY_CLASSES_ROOT\.exe key.
    Do     modify the HKEY_CLASSES_ROOT\exefile\shell\open\command subkey that is shown in the following figure:


    <<=== NOTE: This is the key that you need to modify.


    2. Double-click the (Default) value in the right pane.
    3. Delete the current value data, and then type: "%1" %* (That is, type the following characters: quote-percent-one-quote-space-percent-asterisk.)

    NOTE: The Registry Editor will automatically enclose the value within quotation marks. When you click OK, the (Default) value should look exactly like this: ""%1" %*"

    4. Make sure you completely delete all value data in the command key prior to typing the correct data. If a space is left accidentally at the beginning of the entry, any attempt to run program files will result in the error message, "Windows cannot find .exe." or "Cannot locate C:\ <path and file name>."
    5. Navigate to and select the following key:

    HKEY_LOCAL_MACHINE\Software\SirCam

    CAUTION: Make sure that you go all the way down to the SirCam key, and that it is selected. It will look similar to the following:



    6. With the SirCam key selected, press Delete. This will delete the key and all of its subkeys. Since this key was created by the worm it can be safely deleted.
    7. Navigate to and select the following key:

    HKEY_LOCAL_MACHINE\Software\
    Microsoft\Windows\CurrentVersion\RunServices

    8. In the right pane, look for and select the value

    Driver32.

    9. Press Delete, and then click Yes to confirm.

 

Additional information:

Configure Windows for maximum protection
Because this virus spreads by using shared folders on networked computers, to ensure that the virus does not reinfect the computer after it has been removed, Symantec suggests sharing with read-only access or using password protection. For instructions on how to do this, see your Windows documentation or the document How to configure shared Windows folders for maximum network protection.

Write-up by: Peter Ferrie and Peter Szor
http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.htm

Symantec AntiVirus Research Center (SARC)
http://www.symantec.com/avcenter