VIRUS
ok I would not normally do this… but in the last 24 hours I have 15
mails containing this virus and one of them is Casey at Unicycle.com. The
virus is a particularly nasty one and appeals to people who are not
expecting malicious mails from friends… you know, wording etc.
The mail does not use ms to mail your mailing list so you will not find
any attachments in your sent mail (note cs).
here is what Macfee said about it:
Summary Virus Name Risk Assessment
W32/SirCam@MM High
[PARA]Virus Information Discovery Date: 07/17/2001 Origin: Unknown Length:
137,216 Type: Virus SubType: E-mail Minimum Dat: 4148 Minimum Engine:
4.0.70 DAT Release Date: 07/18/2001 Description Added: 07/17/2001
[PARA]Virus Characteristics Jul 23 - Due to the increase in samples, the
risk assessment for
W33/SirCam@MM has been updated to a HIGH risk. AVERT will be releasing the
4149 DATs (the full set and incrementals) to include scanning of files
with the .LNK extension mentioned below. VirusScan TC and VirusScan
4.51 users can take advantage of this if they are using the default
extension list. [PARA]The 4149s will be available shortly. Please
check here for the update -
http://www.mcafeeb2b.com/naicommon/download/dats/find.asp [PARA]All
other users must update the extension list as noted below or SCAN ALL
FILES. [PARA]Jul 22 For detection of W32/SirCam@MM, the LNK and PIF
extensions need to be present on the extension list or SCAN ALL FILES
must be chosen. [PARA]This mass-mailing virus attempts to send itself
and local documents to all users found in the Windows Address Book and
email addresses found in temporary Internet cached files (web browser
cache). [PARA]It may be received in an email message containing the
following information: [PARA]Subject: [filename (random)] [NL]Body:
Hi! How are you? [PARA]I send you this file in order to have your
advice [NL]or I hope you can help me with this file that I send [NL]or
I hope you like the file that I sendo you [NL]or This is the file with
the information that you ask for [PARA]See you later. Thanks [PARA]—
the same message may be received in Spanish — [PARA]Hola como estas
? [PARA]Te mando este archivo para que me des tu punto de vista [NL]or
Espero me puedas ayudar con el archivo que te mando[NL]or Espero te
guste este archivo que te mando[NL]or Este es el archivo con la
información que me pediste [PARA]Nos vemos pronto, gracias. [PARA]—
end message — [PARA]Attached will be a document with a double
extension (the filename varies). The first extension will be the file
type which was prepended by the virus. When run, the document will be
saved to the
X:\RECYCLED folder and then opened while the virus copies itself to
Y:\RECYCLED\SirC32.exe folder to conceal its presence and creates the
following registry key value to load itself whenever .EXE files are
executed: [PARA]HKCR\exefile\shell\open\command
[NL]\Default=“C:\recycled\SirC32.exe” “%1” %* [PARA]As the RECYCLE BIN
is often on the exclusion list, check your settings to insure that this
directory IS being scanned. [PARA]It also copies itself to the WINDOWS
SYSTEM directory as SCam32.exe and creates the following registry key
value to load itself automatically:
[PARA]HKLM\Software\Microsoft\Windows\CurrentVersion
[NL]RunServices\Driver32=C:\WINDOWS\SYSTEM\SCam32.exe [PARA]A list of
.GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG, .PS, and .ZIP files in
the MY DOCUMENTS folder is saved to the file SCD.DLL (the 2nd character
of the name appears to be random) in the SYSTEM directory. Email
addresses are gathered from the Windows Address Book and temporary
Internet cached pages and saved to the file SCD1.DLL (the 2nd and 3rd
character of the name appears to be random) in the SYSTEM directory.
[PARA]The worm prepends a copy of the files that are named in the
SCD.DLL file and attaches this copy to the email messages that it sends
via a built in for communicating directly with a SMTP server, using one
of the following extensions: .BAT, .COM, .EXE, .LNK, .PIF. This results
in attachment names having double-extensions. [PARA]The program creates
a registry key to store variables for itself (such as a run count, and
SMTP information): [PARA]HKLM\Software\Sircam [PARA]The virus may also
infect other systems by using open network shares. On remote systems the
file \windows\rundll32.exe might get replaced with a viral copy. On
those systems, it might also append the autoexec.bat with the line: @win
\recycled\sirc32.exe. [PARA]Aside from e-mail overloading, it might
delete files on 16 October and/or fill up harddisk space by adding text
entries over & over again to a sircam recycle bin file.
[PARA]Symptoms Presence of SCam32.exe in the WINDOWS SYSTEM directory.
[PARA]Method Of Infection This virus sends itself, as an executable, to
email recipients found in the Windows Address Book and addresses found in
cached files. This executable is appended with a document if one is found
in MY DOCUMENTS folder. The mailing routine talks SMTP to a server and
will use server address found in infected executables. This address is
presumably captured from the victim’s machine which sent the virus to you.
If that server is not in operation, or if relaying is not permitted, the
virus attempts to use each of these three servers, stopping when the first
successful send occurs. [PARA]doubleclick.com.mx [NL]enlace.net
[NL]goeke.net
[PARA]Removal Instructions Use specified engine and DAT files for
detection and removal. [PARA]Windows ME Info:[NL]NOTE: Windows ME
utilizes a backup utility that backs up selected files automatically to
the C:_Restore folder. This means that an infected file could be stored
there as a backup file, and VirusScan will be unable to delete these
files. These instructions explain how to remove the infected files from
the C:_Restore folder. [PARA]Disabling the Restore Utility [PARA]1.
Right click the My Computer icon on the Desktop.[NL]2. Click on the
Performance Tab.[NL]3. Click on the File System button.[NL]4. Click on
the Troubleshooting Tab.[NL]5. Put a check mark next to “Disable System
Restore”.[NL]6. Click the Apply button.[NL]7. Click the Close
button.[NL]8. Click the Close button again.[NL]9. You will be prompted
to restart the computer. Click Yes.[NL]NOTE: The Restore Utility will
now be disabled.[NL]10. Restart the computer in Safe Mode.[NL]11. Run a
scan with VirusScan to delete all infected files, or browse the file’s
located in the
Z:_Restore folder and remove the file’s.[NL]12. After removing the
desired files, restart the computer normally.[NL]NOTE: To re-enable the
Restore Utility, follow steps 1-9 and on step 5 remove the check mark
next to “Disable System Restore”. The infected file’s are removed and
the System Restore is once again active. [PARA]Registry Entries:[NL]The
W32/SirCam@MM virus makes changes to the registry.
[PARA]HKLM\Software\Microsoft\Windows\CurrentVersion
RunServices\Driver32=C:\WINDOWS\SYSTEM\SCam32.exe
[PARA]HKLM\Software\Sircam [PARA]In Infected state:
HKCR\exefile\shell\open\command \Default=“C:\recycled\SirC32.exe” “%1”%*
[PARA]In Clean state this should be: HKCR\exefile\shell\open\command
\Default=""%1"%*" [PARA]Note that manual modification of registry items
is dangerous and should not be needed at all as VirusScan will clean all
the registry items automatically. [PARA]Download self-extracting
EXTRA.DAT[NL]Not needed if you are already using DAT 4148. ZIP[NL]SDAT
[PARA]Variants Name Type Sub Type Differences no known variants
[PARA]Aliases Name no known aliases
++++++++++++++++++++++++
I hope this helps… I know that I am not an expert at this at all but may
be there are others who know more than I do, I know that “Shetland
bouncing boy” (Neil Dunlop) saved my bacon on this one and might be able
to add more to this mail.
Roger
The UK's Unicycle Source
<a href="http://www.unicycle.uk.com/">http://www.unicycle.uk.com/</a>
----- Original Message ----- From: “John Drummond”
<unicycle@bellsouth.net> To: “Mark Scarbrough” <unione@bellsouth.net>
Sent: Wednesday, July 25, 2001 2:57 PM Subject: IMPORTANT!
You may have received email from this address earlier. DO NOT OPEN IT!!!
That message contains a virus. Thanks for your cooperation!
Best Regards,
The Team at Unicycle.com www.Unicycle.com 1-800-Unicycle
The UK's Unicycle Source
<a href="http://www.unicycle.uk.com/">http://www.unicycle.uk.com/</a>
----- Original Message ----- From: “circles” <not@email.net> To:
<unicycling@winternet.com> Sent: Wednesday, July 25, 2001 5:49 PM Subject:
Re: IMPORTANT!
>
> ------=_NextPart_000_000C_01C114FE.E508EA60
> charset=“iso-8859-1”
>
> Thank you for the warning. This morning I bought the adult trainer 24" =
> unicycle from your website, but there were no file attachements when I =
> received your confirmation email. However, I was using my yahoo email =
> account and “maybe” yahoo choked off that virus.
>
> -cb
>
> “John Drummond” <unicycle@bellsouth.net> wrote in message =
> news:013901c11513$92de7920$6401a8c0@compaq1… You may have received
> email from this address earlier. DO NOT OPEN = IT!!! That message
> contains a virus. Thanks for your cooperation!
>
> Best Regards,
>
> The Team at Unicycle.com www.Unicycle.com 1-800-Unicycle
>
> ------=_NextPart_000_000C_01C114FE.E508EA60 Content-Type: text/html;
> charset=“iso-8859-1”
>
> <!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN”>
> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; =
> charset=3Diso-8859-1"> <META content=3D"MSHTML 5.50.4616.200"
> name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff>
> <DIV><FONT face=3DArial size=3D2>Thank you for the warning. This =
> morning I=20 bought the adult trainer 24" unicycle from
> your website, but = there=20 were no file attachements when I
> received your confirmation email. =
>
> However, I was using my yahoo email account and “maybe” =
> yahoo choked off=20 that virus.</FONT></DIV>
> <DIV><FONT face=3DArial size=3D2></FONT> </DIV>
> <DIV><FONT face=3DArial size=3D2>-cb</FONT></DIV>
> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <BLOCKQUOTE
> dir=3Dltr=20 style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px;
> MARGIN-LEFT: 5px; = BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT:
> 0px">
> <DIV>“John Drummond” <<A=20 href=3D"mailto:unicycle@bellsouth.net"-
> >unicycle@bellsouth.net</A>> = wrote in=20 message <A=20
> =
> href=3D"news:013901c11513$92de7920$6401a8c0@compaq1">news:013901c11513$-
> 92= de7920$6401a8c0@compaq1</A>…</DIV>
> <DIV><FONT face=3DArial size=3D2>You may have received email from this
> = address=20 earlier. DO NOT OPEN IT!!! That message contains a
> virus. Thanks for = your=20 cooperation!</FONT></DIV>
> <DIV><FONT face=3DArial size=3D2></FONT> </DIV>
> <DIV><FONT face=3DArial size=3D2>Best Regards,</FONT></DIV>
> <DIV> </DIV>
> <DIV><FONT face=3DArial size=3D2>The Team at Unicycle.com<BR><A=20
> =
> href=3D"http://www.Unicycle.com">www.Unicycle.com</A><BR>1-800-Uni-
> cycle</=
> FONT></DIV></BLOCKQUOTE></BODY></HTML>
>
> ------=_NextPart_000_000C_01C114FE.E508EA60–
>
This message was sent using Freezone Web Mail.