SirCam Fix on Flying Monkees.com

Flying Monkees > Technology > SirCam > Removal:

Virus: TROJ_SIRCAM.A - Courtesy of: www.pc-cillin.com Visit them today for Anti-Virus software Aliases: SCAM.A, TROJ_SCAM.A, W32.Sircam.Worm@mm Description: This worm is a high-level program created in Delphi that propagates via email using SMTP commands. It sends copies of itself to all addresses listed in an infected user's address book and in temporary Internet cached files. It arrives with a random subject line, and an attachment by the same name. This worm also propagates via shared network drives. Solution: Deleting the Trojan file before performing the steps below will make the system inoperable. If the Trojan has been deleted please rename REGEDIT.EXE to REGEDIT.COM before following the manual removal instructions. If you want to use the fix tool, there is no need to rename the file. To manually remove Trojan 1.Disconnect from the network 2.Run REGEDIT.EXE Go to HKEY_CLASSES_ROOT\exefile\shell\open\command On the right panel, double click on the (Default) value and remove C:\Recycled\SirC32.exe leaving only “%1” %* (double quote, percent one, double quote, space, percent asterisk). 3.Go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\RunServices 4.On right panel delete the value Driver32 5.Go to HKEY_LOCAL_MACHINE\Software\Sircam and Delete the key Sircam 6.Go to MSDOS Prompt and go to Windows\System folder. (C:\Windows\System or C:\Winnt\System32) 7.Type ATTRIB –S –H –R SCAM32.EXE to unhide Trojan file. 8.Type DEL SCAM32.EXE to delete Trojan file. 9.Go to the Recycled folder (C:\Recycled) and do steps 7 and 8 to delete the Trojan file hidden in the recycle bin because emptying this folder may not effectively do so. 10.Go to the Windows folder and Search for RUN32.EXE. 11.If present delete RUNDLL32.EXE and rename RUN32.EXE to RUNDLL32.EXE 12.Edit AUTOEXEC.BAT 13.Delete @win \recycled\Sirc32.exe 14.Restart Computer To remove Trojan using fix tool: 1.Download fix_sircam.com and run the file. It will scan drive C: and subfolders. 2.If a Trojan is detected, it will prompt you to delete the file or not. 3.The tool will also restore the registry entries modified by the Trojan. 4.Edit AUTOEXEC.BAT 5.Delete @win \recycled\Sirc32.exe 6.Restart Computer Technical Details In the wild: Yes Trigger condition 1: Upon execution Payload 1: Deletes Files (propagates via email and shared network drives) Detected by pattern file#: 917 Detected by scan engine#: 5.170 Language: English, Spanish Platform: Windows Encrypted: No Size of virus: 137,216 Bytes Details: This worm arrives as an email attachment with two extension names (i.e FNAME.EX1.EX2). FNAME.EX1 is a random file chosen from an infected user's personal folder, referred to in the below entry: HKCU\Software\Microsoft\Windows\CurrentVersion\ Explorer\Shell Folders, Personal EX2 can have a .LNK, .EXE, or .PIF filename. The infected email arrives in English or Spanish as follows: Subject:(name of attached file) Message Body: ENGLISH: Hi! How are you? I send you this file in order to have your advice See you later. Thanks SPANISH: Hola como estas ? Te mando este archivo para que me des tu punto de vista Nos vemos pronto, gracias. Attachment:(FNAME.EX1.EX2) Line 2 of the message can also be any of the following: ENGLISH: I hope you like the file that I sendo you This is the file with the information that you ask for I hope you can help me with this file that I send SPANISH: Este es el archivo con la informacion que me pediste Espero te guste este archivo que te mando Espero me puedas ayudar con el archivo que te mando The attachment is a copy of the worm merged with a randomly chosen file from the sender's computer. When opened, it copies the worm to hidden files, SCAM32.EXE in the System directory and SIRC32.EXE in the Recycled folder. The worm modifies the below to execute at every Windows startup: HKLM\Software\Microsoft\Windows\CurrentVersion\ RunServicesDriver32=“%systemdir%\Scam32.exe” It modifies the below to execute when an .EXE file is run: HKCR\exefile\shell\open\command= “”C:\Recycled\SirC32.exe” ”%1” %*” It also creates the below registry where it stores its data: HKLM\Software\SirCam To hide its malicious activities, it extracts the appended host file to the Temp and Recycled folders, then opens it with the default application it is associated with (.DOC with MS Word or Wordpad, .XLS with MS Excel, .ZIP with WinZip). The Temp folder varies depending on a computer’s setting. Infected users may use the “set” command in the command prompt to check this folder's actual path. The worm then searches for files containing email addresses such as .WAB (Windows Address Book) and .HTM, and sends emails to the addresses. The host file appended at the end of the worm may contain a .DOC, .XLS, or .ZIP file that is taken from a folder specified in the below entry: HKCU\Software\Microsoft\Windows\ CurrentVersion\Explorer\Shell Folders, Personal It saves the path and filename of host files to the SCD.DLL file and the email addresses it gathered to SC??.DLL files (i.e SCI1.DLL and SCW1.DLL), all hidden and saved in the Systemdir (C:\Windows\System) directory. The worm file stores in the registry the number of email addresses gathered. To propagate, it tries to connect to the server that sent an infected email. If it fails, it tries to connect to three other email servers whose addresses are stored within the worm body and are random in nature. Upon connection, it uses a stored list of SMTP commands to create and send mail over the Internet. To infect via shared drives, it lists all existing connections. If it finds a folder with write access, it searches for and copies itself to SIRC32.EXE in the Recycled folder. If it finds an AUTOEXEC.BAT file in the folder, it opens this and appends: @win\recyled\sirc32.exe. It searches the shared folder for a Windows directory, then copies RUNDLL32.EXE to RUN32.EXE and itself to RUNDLL32.EXE. When a computer is infected via the network, it activates only upon reboot. NT-based OS are safe from this type of attack. Occasionally, it copies itself to files other than SIRC32.EXE, SCAM32.EXE, or RUNDLL32.EXE. When executed, it deletes all files and folders in the system. Not all files in the default Windows folder are erased since some may currently be in use.