Virus Warning!
Hello Euphorians,
Yesterday 30 computers at Insight Concepts were infected by a new=
E-mail worm "Win32.SirCam.137216". Below is information you can=
use
to Identify this little pest.
-----------------------------------------------------------------=
--->
Win32.SirCam.137216 is an email worm which sends itself as well=
as
clean documents from an infected machine. The worm arrives in a
message which may be either English or Spanish. The English=
messages
appear like this:
Hi! How are you?
I send you this file in order to have your advice
See you later. Thanks
The middle line may be chosen at random from one of the=
following:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I sendo you
This is the file with the information that you ask for
The Spanish message looks like:
Hola como estas ?
Te mando este archivo para que me des tu punto de vista
Nos vemos pronto, gracias.
The middle line may be one of the following:
Te mando este archivo para que me des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es el archivo con la informaci=F3n que me pediste
The attachment name is variable, but will have a double=
extension,
for example "SCRIPT.DOC.PIF". The actual extension may be "PIF",=
"LNK", "BAT", "EXE" or "COM". The subject of message matches the=
attachment name, except without the extensions. In the above=
example
the subject would be "SCRIPT".
When run, the worm copies itself to "C:\RECYCLED\SirC32.exe" as=
well
as "SCam32.exe" in the Windows System directory. It modifies two=
registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunS=
ervic
es\Driver32=3D"\SCam32.exe"
HKEY_CLASSES_ROOT\exefile\shell\open\command=3D""C:\recycled\SirC32=
.exe"
"%1" %*"
The first key causes the worm to run when Windows starts. The=
second
causes the worm to be run whenever any .EXE program is executed.=
The
worm gets a list of .DOC, .XLS and .ZIP files in the "My=
Documents"
folder. It appends one of these files to the end of itself and=
saves
the result to the Recycled folder, adding the second extension to=
the
filename as listed previously. This file is attached to the=
emails
that the worm sends.
The worm may make several copies of itself with different DOC,=
XLS or
ZIP files attached, depending upon what it finds in the "My
Documents" folder. It continually sends these copies out to=
addresses
it finds in the Windows address book and internet cache files,=
and
may send multiple copies to the same address.
Sincerely,
Chris
|
Not Categorized, Please Help
|
|
