W32/SirCam@MM is a computer virus that appears wide spread as of this writing (I keep receiving it by email several times a day).

As usual, it only infects Windows computers, but annoys Unix users by the way it tries to spread itself: It sends an email with a rather large file attachment to every address it finds in the Windows Address Book and in cached files.

Unfortunately, it uses a different subject every time, so there is no easy way to use a spam filter to prevent the download of the message to the destination system. Thus, even if your system is safe from the virus itself (i.e., you either do not use Windows or know better than to open the attached file), it still affects you by cluttering the Internet bandwidth, and your own email bandwidth.

The body if the email starts with:

Hi! How are you?

It then continues with one of the following:

  • I send you this file in order to have your advice

  • I hope you can help me with this file that I send

  • I hope you like the file that I sendo you

  • This is the file with the information that you ask for

Optionally, it may end with:

See you later. Thanks

Occasionally, the whole text is in Spanish.

The email then continues with a file attachment using a dual extension, e.g. somefile.doc.lnk, again, something quite typical among recent viruses and an immediate tipoff. Alas, enough people do not seem to see the obvious, click on it, get their system infected and keep sending these huge files to everyone in their Windows Address Book.

The virus itself is extremely aggressive in that it modifies an entry in the Windows Registry. As a result, every time any executable file is run, Windows will also load and run the virus.

Hence, this virus does not infect just an individual executable as the past viruses have done, it infects Windows. Savvy computer users have been long saying that Windows is a virus. As of now, in many cases this adage is no longer a smirk remark but the literal truth.

If you need more information, see www.mcafee.com/anti-virus/viruses/sircam/ for detailed instructions how to remove the virus. You may want to send that URL to any friend who emails you the virus (along with a note saying, See, I told you to switch to Unix!).

The Sircam worm (aka W32.Sircam.Worm@mm) was a rather big email worm in July 2001. It will arrive in your inbox with the name of a file as the subject and the same file as an attachment. The message body will be something like:
" I send you this file in order to have your advice. See you later. Thanks."
The message may also appear in Spanish:
"Te mando este archivo para que me des tu punto de vista."
The file is a random file from the previous victim's My Documents folder merged with the virus and given an extra extension. For example, when it got sent to me, I was sent the file patcher.zip which became patcher.zip.pif. The added extensions .BAT, .LNK, .EXE, and .COM have also been seen.

Should you become infected with this worm, it will:
  • Send itself to e-mail addresses that it finds either in HTML files that Internet Explorer has cached, or in Outlook Express/Outlook address books.
  • There is a 1 in 33 chance it will try to fill your hard disk by creating a large text file in C:\recycled\sircam.sys filled with a repetition of
    SirCam Version 1.0 Copyright 2000 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico.
  • There is a 1 in 20 chance it will attempt to delete all files on the C: drive on October 16th.
  • The virus will be merged with a random file from your My Documents folder whenever it is sent to anyone.
To avoid being infected with this virus, simply do not try and open the attachment, no matter how much you think that your advice is needed.

If the file that was sent from the previous victim's My Documents looks interesting, you could possibly open it by saving the file without the second extension and opening it from the appropriate program. I would be sure to use File... Open from the program instead of double clicking on the file especially since Windows will not show some of those extensions even if you have set your View options to show file extensions.

If you have been infected with this virus, a removal tool is available at: http://www.sarc.com/avcenter/FixSirc.com
Info from http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html and my own personal experience being sent (but not infected by - I at least know not to open random attachments) this virus.
I just wish I would have been sent a cool file from the previous victim's My Documents instead of a patch for a game I don't own.

Thanks to ailie for some fixes.
Stavr0: Perhaps you have to hexedit it to get a .doc file out of it, but at least for a .zip file you only have to open it from Winzip (although perhaps it would have yielded corrupted files if I actually tried to extract everything - I only read the readme.txt (uncorrupted) from the .zip archive).... YMMV..
If the file that was sent from the previous victim's My Documents looks interesting, you could possibly open it by saving the file without the second extension and opening it from the appropriate program.

Ok, here's the thing, please don't fucking do this.

But if you REALLY want to: using your favorite HEX editor:
The attachment begins at or around offset 0x0022100, 2 screenfuls after the last bit of virus code which resembles:

naCode..}MIMEcha
r.??IniFiles.??W
inInet..?Graphic
s..?SMTPsend..?M
IMEmess.?*ShellA
PI..8Registry...
..?.?...?.?.?.??
..?.............
The first bytes of a MS-Word document are:
D0 CF 11 E0 A1 B1 1A E1
A zip file is:
50 4B 03 04 0A    PK(heart)(diamond)(circle)

Delete everything before, then re-enable your Virus scanner, put your system in maximum paranoia mode and use QUIKVIEW instead of MSOffice -- you never know, a future SIRCAM variant may introduce a Word Macro virus to attachments it sends out...


Infinity is right, PKZIP/WinZip skips over all the virus code and seeks to the real ZIPfile header.
tlk nnr at slashdot.org posted this one-liner to extract the attachment:
dd if=sircam.doc.exe of=clean.doc bs=1 skip=137216
Download the unxutils for Win32 to obtain the DD.EXE utility.

A handy tip:

Pete Krawczyk <petek at mc.net> has noticed a very interesting property of all mail sent by the SirCam worm:

The SMTP headers of a message usually include a line that begins:

Date:

However, SirCam mail has a lower-case "date:" header. One copy I received, for example, says:

date: Tue, 24 Jul 2001 00:40:16 -0400

Krawczyk says that this appears to be unique among SMTP clients.

You can therefore configure your SMTP server to reject all messages with a header line matching /^date:/ and you'll save not only lost files but lots of bandwidth.

God, I love it when a criminal makes a mistake...

SOURCE: the SecurityFocus incidents list

This is a simple addendum in reference to the way this particular virus also spreads across the network.

Once a machine is infected it will check the network for C: drives of which it can access. Upon successfully finding an available share it will attempt to copy itself into the c:\temp\ or c:\recycled\ directory. Once it has accomplished this task it will proceed to add a call to said executable into the c:\autoexec.bat file. This has the result that on reboot the new host will have been infected fully and start spreading itself again. (As long as autoexec.bat has been executed)

This does not seem to have been noted by either Symantec or McAfee and it is important to be aware of the fact that although you may be vigilant on opening email attachments you can still get infected. It is therefore vital to make sure that network shares are password protected or at the very least not available to everyone on the domain.

Removal and Disinfection
(You'll be leaving the Internet soon, so print these instructions now).

I. Download

    A. Download and save the undosirc.reg file to a floppy disk by following these instructions:

      1. Go Here: www.ukans.edu/acs/virus/undosirc.reg

      2. In the Save dialog box, select My Computer from the Save in: pull-down menu at the top of the page.

      3. Double-click the A:\ drive.

      4. Click the Save button.

II. Disconnect from the Internet.

III. In Windows, click the Start button on your Taskbar and select Run...

    A. In the box, type A:\undosirc.reg and click the OK button.

    B. A Windows dialog box will display with the following question:

    Are you sure you want to add the information in A:\undosirc.reg to the registry?

    Click YES.

    C. A Windows dialog box will display the following confirmation:

    Information in the c:\undosirc.reg has successfully entered into the registry.

    Click OK .

    D. Remove the line "@win \recycled\SirC32.exe" (if present) from the AUTOEXEC.BAT file.

      1. Open Notepad (click the Start button, select Programs, then select Accessories, then click Notepad).

      2. In Notepad, go to File/Open. In the File name: box, type in C:\autoexec.bat and click Open.

      3. Look for a line reading "@win \recycled\SirC32.exe". If there is such a line, highlight and delete it. If not, exit Notepad without saving.

      4. Click the File menu and choose Save, then exit Notepad.

    E. Shut down, then restart your computer.

    F. After your computer has restarted:

      1. Empty the Recycle Bin.

      2. In Windows, click the Start button on your Taskbar and select Find -> and Files or Folders. Make sure the Look In box (bottom most box) is to set to look in the hard drive (C:, usually).

      3. In the Named box, type scam32.exe.

      4. Click the Find Now button.

      5. scam32.exe should appear in the lower window of the finder and should be highlighted (if not highlighted, click it once to select it).

      6. Press the DELETE key (on your keyboard).

      Note: This virus infects computers in several ways, depending on how it was transmitted, so some of the following files may not be present on your computer.

      7. In the Named box, replace scam32.exe with scmx32.exe, and click the Find Now button.

      8. If you find a file with this name, click once on it to select it and press the DELETE key.

      9. In the Named box, replace scmx32.exe with sircam32.exe, and click the Find Now button.

      10. If you find a file with this name, click once on it to select it and press the DELETE key.

      11. In the Named box, replace sircam32.exe with Microsoft Internet Office.exe, and click the Find Now button.

      12. If you find a file with this name, click once on it to select it and press the DELETE key.

      13. In the Named box, replace Microsoft Internet Office.exe with run32.exe, and click the Find Now button.

      14. If you find a file with this name, DON'T DELETE IT! This file has been renamed by the virus, but is not part of the infection. If run32.exe is found, complete these additional steps:

        a. In the Named box, replace run32.exe with rundll32.exe, and click the Find Now button.

        b. When found, click once on rundll32.exe to select it and press the DELETE kay.

        c. search for run32.exe again, and rename it to rundll32.exe.

        To rename a file, right-click it and select Rename, type in the new name (rundll32.exe), and press Enter to accept the change.

      15. Empty the Recycle bin.

Log in or register to write something here or to contact authors.