1. Virus Warning!

Hello Euphorians,

Yesterday 30 computers at Insight Concepts were infected by a new=
  
E-mail worm "Win32.SirCam.137216". Below is information you can=
 use 
to Identify this little pest.
-----------------------------------------------------------------=
--->

Win32.SirCam.137216 is an email worm which sends itself as well=
 as 
clean documents from an infected machine. The worm arrives in a 
message which may be either English or Spanish. The English=
 messages 
appear like this: 

Hi! How are you? 
I send you this file in order to have your advice
See you later. Thanks 

The middle line may be chosen at random from one of the=
 following: 

I send you this file in order to have your advice
I hope you can help me with this file that I send 
I hope you like the file that I sendo you 
This is the file with the information that you ask for 

The Spanish message looks like: 

Hola como estas ? 
Te mando este archivo para que me des tu punto de vista 
Nos vemos pronto, gracias. 

The middle line may be one of the following: 

Te mando este archivo para que me des tu punto de vista 
Espero me puedas ayudar con el archivo que te mando 
Espero te guste este archivo que te mando 
Este es el archivo con la informaci=F3n que me pediste 

The attachment name is variable, but will have a double=
 extension, 
for example "SCRIPT.DOC.PIF". The actual extension may be "PIF",=
 
"LNK", "BAT", "EXE" or "COM". The subject of message matches the=
 
attachment name, except without the extensions. In the above=
 example 
the subject would be "SCRIPT". 

When run, the worm copies itself to "C:\RECYCLED\SirC32.exe" as=
 well 
as "SCam32.exe" in the Windows System directory. It modifies two=
 
registry keys: 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunS=
ervic
es\Driver32=3D"\SCam32.exe"
HKEY_CLASSES_ROOT\exefile\shell\open\command=3D""C:\recycled\SirC32=
.exe"
 "%1" %*" 
The first key causes the worm to run when Windows starts. The=
 second 
causes the worm to be run whenever any .EXE program is executed.=
 The 
worm gets a list of .DOC, .XLS and .ZIP files in the "My=
 Documents" 
folder. It appends one of these files to the end of itself and=
 saves 
the result to the Recycled folder, adding the second extension to=
 the 
filename as listed previously. This file is attached to the=
 emails 
that the worm sends. 

The worm may make several copies of itself with different DOC,=
 XLS or 
ZIP files attached, depending upon what it finds in the "My 
Documents" folder. It continually sends these copies out to=
 addresses 
it finds in the Windows address book and internet cache files,=
 and 
may send multiple copies to the same address.


Sincerely,
Chris

new topic     » topic index » view message » categorize

2. Re: Virus Warning!

On 21 Jul 2001, at 23:01, president at insight-concepts.com wrote:

> The attachment name is variable, but will have a double extension, 
> for example "SCRIPT.DOC.PIF". The actual extension may be "PIF", 
> "LNK", "BAT", "EXE" or "COM". The subject of message matches the 

Once again, never open a file with those extensions. If your puter's OS is 
windoze, tell it to *always show all extensions* and never use Outlook 
Express or it's variants, and never auto-open any files. You know you could 
have just as easily gotten the virus with javascript or java while browsing the 
web? Or reading a document with a reader that exec's macros?

Kat

new topic     » goto parent     » topic index » view message » categorize

3. Re: Virus Warning!

Kat,
I use Outlook Express at home and Outlook at work. I use the VET virus
checker. Together they have always caught the virus. I've never had a
problem with any of these.

----- Original Message -----
From: "Kat" <gertie at PELL.NET>
To: "EUforum" <EUforum at topica.com>
Subject: Re: Virus Warning!


>
>
> On 21 Jul 2001, at 23:01, president at insight-concepts.com wrote:
>
> > The attachment name is variable, but will have a double extension,
> > for example "SCRIPT.DOC.PIF". The actual extension may be "PIF",
> > "LNK", "BAT", "EXE" or "COM". The subject of message matches the
>
> Once again, never open a file with those extensions. If your puter's OS is
> windoze, tell it to *always show all extensions* and never use Outlook
> Express or it's variants, and never auto-open any files. You know you
could
> have just as easily gotten the virus with javascript or java while
browsing the
> web? Or reading a document with a reader that exec's macros?
>
> Kat
>
>
>
>

new topic     » goto parent     » topic index » view message » categorize

4. Re: Virus Warning!

Kat:
Where in Windows 98 do you set the option "always show all extensions"??
Thanks.
----- Original Message -----
From: "Kat" <gertie at PELL.NET>
To: "EUforum" <EUforum at topica.com>
Subject: Re: Virus Warning!


>
>
> On 21 Jul 2001, at 23:01, president at insight-concepts.com wrote:
>
> > The attachment name is variable, but will have a double extension,
> > for example "SCRIPT.DOC.PIF". The actual extension may be "PIF",
> > "LNK", "BAT", "EXE" or "COM". The subject of message matches the
>
> Once again, never open a file with those extensions. If your puter's OS is
> windoze, tell it to *always show all extensions* and never use Outlook
> Express or it's variants, and never auto-open any files. You know you
could
> have just as easily gotten the virus with javascript or java while
browsing the
> web? Or reading a document with a reader that exec's macros?
>
> Kat
>
>
>
>

new topic     » goto parent     » topic index » view message » categorize

5. Re: Virus Warning!

On 22 Jul 2001, at 18:09, rforno at tutopia.com wrote:


> 
> Kat:
> Where in Windows 98 do you set the option "always show all extensions"??

I hope the question was answered, i couldn't, as i don't use win98.

Kat

new topic     » goto parent     » topic index » view message » categorize

Search



Quick Links

User menu

Not signed in.

Misc Menu