Not 20 minutes after I got this warning in my own box, I got the virus sent
to me by god-knows-whom. Please follow all traditional safety precautions.
Details follow:
Security experts warned Friday of a fast-spreading new worm that could
delete files and fill up the hard drives of infected computers.
The worm, "W32.Sircam" or "SirCam," arrives attached to an e-mail message
with a randomly chosen subject line, according to a report prepared by the
AntiVirus Research Center of software maker Symantec.
(
http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@...)
Virus Characteristics:
This mass-mailing virus attempts to send itself and local documents to all
users found in the Windows Address Book and email addresses found in
temporary Internet cached files (web browser cache).
It may be received in an email message containing the following information:
Subject: [filename (random)]
Body: Hi! How are you?
I send you this file in order to have your advice
or I hope you can help me with this file that I send
or I hope you like the file that I sendo you
or This is the file with the information that you ask for
See you later. Thanks
--- the same message may be received in Spanish ---
Hola como estas ?
Te mando este archivo para que me des tu punto de vista
or Espero me puedas ayudar con el archivo que te mando
or Espero te guste este archivo que te mando
or Este es el archivo con la informaciÝlue me pediste
Nos vemos pronto, gracias.
--- end message ---
Attached will be a document with a double extension (the filename varies).
The first extension will be the file type which was prepended by the virus.
When run, the document will be saved to the C:\RECYCLED folder and then
opened while the virus copies itself to C:\RECYCLED\SirC32.exe folder to
conceal its presence and creates the following registry key value to load
itself whenever .EXE files are executed:
HKCR\exefile\shell\open\command
\Default="C:\recycled\SirC32.exe" "%1" %*
As the RECYCLE BIN is often on the exclusion list, check your settings to
insure that this directory IS being scanned.
It also copies itself to the WINDOWS SYSTEM directory as SCam32.exe and
creates the following registry key value to load itself automatically:
HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Driver32=C:\WINDOWS\SYSTEM\SCam32.exe
A list of .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG, .PS, and .ZIP
files in the MY DOCUMENTS folder is saved to the file SCD.DLL (the 2nd
character of the name appears to be random) in the SYSTEM directory. Email
addresses are gathered from the Windows Address Book and temporary Internet
cached pages and saved to the file SCD1.DLL (the 2nd and 3rd character of
the name appears to be random) in the SYSTEM directory.
The worm prepends a copy of the files that are named in the SCD.DLL file
and attaches this copy to the email messages that it sends via a built in
SMTP server, using one of the following extensions: .BAT, .COM, .EXE, .LNK,
.PIF. This results in attachment names having double-extensions.
The program creates a registry key to store variables for itself (such as a
run count, and SMTP information):
HKLM\Software\Sircam
To remove the worm:
1. Run LiveUpdate to make sure that you have the most recent virus
definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan, making sure
that NAV is set to scan all files.
3. Delete any files detected as W32.Sircam.Worm@mm.]
______________________________________________________
In Service,
Talies the Wanderer
Check out the EverQuesting Bard:
http://amtgard.pinkpig.com/bards/eqbard.htm
[Non-text portions of this message have been removed]