Virus Warning!

new topic     » topic index » view thread      » older message » newer message

Hello Euphorians,

Yesterday 30 computers at Insight Concepts were infected by a new=
  
E-mail worm "Win32.SirCam.137216". Below is information you can=
 use 
to Identify this little pest.
-----------------------------------------------------------------=
--->

Win32.SirCam.137216 is an email worm which sends itself as well=
 as 
clean documents from an infected machine. The worm arrives in a 
message which may be either English or Spanish. The English=
 messages 
appear like this: 

Hi! How are you? 
I send you this file in order to have your advice
See you later. Thanks 

The middle line may be chosen at random from one of the=
 following: 

I send you this file in order to have your advice
I hope you can help me with this file that I send 
I hope you like the file that I sendo you 
This is the file with the information that you ask for 

The Spanish message looks like: 

Hola como estas ? 
Te mando este archivo para que me des tu punto de vista 
Nos vemos pronto, gracias. 

The middle line may be one of the following: 

Te mando este archivo para que me des tu punto de vista 
Espero me puedas ayudar con el archivo que te mando 
Espero te guste este archivo que te mando 
Este es el archivo con la informaci=F3n que me pediste 

The attachment name is variable, but will have a double=
 extension, 
for example "SCRIPT.DOC.PIF". The actual extension may be "PIF",=
 
"LNK", "BAT", "EXE" or "COM". The subject of message matches the=
 
attachment name, except without the extensions. In the above=
 example 
the subject would be "SCRIPT". 

When run, the worm copies itself to "C:\RECYCLED\SirC32.exe" as=
 well 
as "SCam32.exe" in the Windows System directory. It modifies two=
 
registry keys: 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunS=
ervic
es\Driver32=3D"\SCam32.exe"
HKEY_CLASSES_ROOT\exefile\shell\open\command=3D""C:\recycled\SirC32=
.exe"
 "%1" %*" 
The first key causes the worm to run when Windows starts. The=
 second 
causes the worm to be run whenever any .EXE program is executed.=
 The 
worm gets a list of .DOC, .XLS and .ZIP files in the "My=
 Documents" 
folder. It appends one of these files to the end of itself and=
 saves 
the result to the Recycled folder, adding the second extension to=
 the 
filename as listed previously. This file is attached to the=
 emails 
that the worm sends. 

The worm may make several copies of itself with different DOC,=
 XLS or 
ZIP files attached, depending upon what it finds in the "My 
Documents" folder. It continually sends these copies out to=
 addresses 
it finds in the Windows address book and internet cache files,=
 and 
may send multiple copies to the same address.


Sincerely,
Chris

new topic     » topic index » view thread      » older message » newer message

Search



Quick Links

User menu

Not signed in.

Misc Menu