SirCam is a worm and a Win32 virus and its size is ca. 150 kbytes. When activated, it creates the following files:
The file SirC32.exe is inserted in the registry shell, to ensure that every time an .EXE file is opened, the worm will be activated. For this, it makes the following entries:
@="\"C:\\recycled\\SirC32.exe\" \"%1\" %*"
Scam32.exe file is inserted as "driver" in the registry, so that the worm will be activated by every system start:
SirCam can also register to Autoexec.bat:
If the files Scam32.exe or SirC32.exe were provided with the extension .DOC.COM, then the worm would delete all the saved files on the C: drive.
If a network is infected by SirCam, the worm can reach the mapped drives on other workstations (Windows 9x/NT). If it can have writing rights on any of these drives, the worm looks for the following files or folders:
When one of these is found, the worm copies itself in C:\Recycled\SirC32.exe and makes an entry in Autoexec.bat, which activates it by the next system start. Then, the file RUNDLL32.EXE is renamed RUN32.EXE and a new RUNDLL.EXE is created, containing the virus code.
The worm sends itself by mail as an executable program, using its own SMTP engine. The necessary email addresses are collected from Windows Address Book and from files, which contain the following strings in their names: SHO*, GET*, HOT*, *.HTM, *WAB and some others. These addresses are saved in a DLL file in Windows system. The file's name is usually SCD1.DLL, but the second and third letter can vary.
The email's attachment has a double extension, as: filename.ext1.ext2. The first extension (ext1) can be: DOC, XLS, ZIP, EXE. And second extension (ext2): PIF, LNK, BAT, COM.
The name of the attachment (filename.ext1) comes from one of the saved files from the "My Documents" folder. The worm makes a list of all the files in that folder, of type: .DOC .EXE .GIF .JPG .JPEG .MPEG .MOV .MPG .PDF .XLS .ZIP and saves them as SCD.DLL in the system. When the worm sends itself by email, the attachment name is chosen from this list.
The email sent can look like this:
Subject: can vary. The worm puts the attachment's name in the subject line.
Message: the body text is different, but the first and the last line are always the same (in the English and Spanish version).
First line: Hi! How are you?
Last line: See you later, Thanks
First line: Hola como estas ?
Last line: Nos vemos pronto. Gracias
When the attachment is opened, a Word document appears on the screen, while in background, the worm infects the system.
說明撰寫者 Crony Walker 開啟 2004年6月15日星期二