Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32/SirCam@MM
Type:Worm 
Size:137,216 bytes 
Origin:unknown 
Date:07-18-2001 
Damage: 
VDF Version:  
Danger:Medium 
Distribution:High 

Technical DetailsSirCam is a worm and a Win32 virus and its size is ca. 150 kbytes. When activated, it creates the following files:

* C:\Recyled\SirC32.exe
* C:\Recyled\LoveJoy_.com
* C:\Windows\System\Scam32.exe
* C:\Windows\Temp\LoveJoy_.com

The file SirC32.exe is inserted in the registry shell, to ensure that every time an .EXE file is opened, the worm will be activated. For this, it makes the following entries:

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"C:\\recycled\\SirC32.exe\" \"%1\" %*"

Scam32.exe file is inserted as "driver" in the registry, so that the worm will be activated by every system start:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices
"Driver32"="C:\\WINDOWS\\SYSTEM\\SCam32.exe"

SirCam can also register to Autoexec.bat:

@win \recycled\SirC32.exe

If the files Scam32.exe or SirC32.exe were provided with the extension .DOC.COM, then the worm would delete all the saved files on the C: drive.

If a network is infected by SirCam, the worm can reach the mapped drives on other workstations (Windows 9x/NT). If it can have writing rights on any of these drives, the worm looks for the following files or folders:

* \Recycled
* \Windows
* \Windows\Run32.exe
* \Windows\Rundll32.exe

When one of these is found, the worm copies itself in C:\Recycled\SirC32.exe and makes an entry in Autoexec.bat, which activates it by the next system start. Then, the file RUNDLL32.EXE is renamed RUN32.EXE and a new RUNDLL.EXE is created, containing the virus code.

The worm sends itself by mail as an executable program, using its own SMTP engine. The necessary email addresses are collected from Windows Address Book and from files, which contain the following strings in their names: SHO*, GET*, HOT*, *.HTM, *WAB and some others. These addresses are saved in a DLL file in Windows system. The file's name is usually SCD1.DLL, but the second and third letter can vary.

The email's attachment has a double extension, as: filename.ext1.ext2. The first extension (ext1) can be: DOC, XLS, ZIP, EXE. And second extension (ext2): PIF, LNK, BAT, COM.

The name of the attachment (filename.ext1) comes from one of the saved files from the "My Documents" folder. The worm makes a list of all the files in that folder, of type: .DOC .EXE .GIF .JPG .JPEG .MPEG .MOV .MPG .PDF .XLS .ZIP and saves them as SCD.DLL in the system. When the worm sends itself by email, the attachment name is chosen from this list.

The email sent can look like this:

Subject: can vary. The worm puts the attachment's name in the subject line.
Message: the body text is different, but the first and the last line are always the same (in the English and Spanish version).

English version

First line: Hi! How are you?
Last line: See you later, Thanks

Spanish version
First line: Hola como estas ?
Last line: Nos vemos pronto. Gracias

When the attachment is opened, a Word document appears on the screen, while in background, the worm infects the system.
설명 삽입자 Crony Walker   2004년 6월 15일 화요일

뒤로 . . . .
https:// 이 창은 보안을 위해 암호화되었습니다.