The Sircam worm was first detected in July ’01 and
reached worldwide distribution in less than a week. The
Sircam worm uses features first seen in here, as well as
exploits known from older worms.
Typical signs: Incoming e-mail, whith a subject
line that is identical to the file name of the attachment,
but without the double extension name. The message body
starts with “Hi! How are you?” and the attachment
file has a double extension name, for example name.xls.bat,
name.zip.lnk, etc. By definition, double extension filenames
of e-mail attachments disclose intent to deceit and should
be discarded without opening. The presence of a file named
SCAM32.EXE in the system directory, and the value
'Driver32' in the startup queue list are clear indications
that Sircam is active on that computer!
Distribution: The main distribution channel outside
the enterprise is e-mail. In the network environment, Sircam
spreads even faster through open shares. Sircam uses its
own SMTP engine for sending copies of itself and doesn't
depend on Outlook for e-mailing, as in previous worms. Another
feature that makes Sircam such a "success" is
the methods it uses to harvest e-mail addresses to which
it sends its spawns. The recipients of the infected e-mail
are picked from the WAB files (Windows address book), as
well as from the Internet cache files. In result, anyone
that may have his/her e-mail address in a page that you
occasionally browsed, may receive the files that Sircam
took from your disk, if you happen to be infected.
Payload and risks: The most annoying aspect of Sircam
is the leaking of sensitive documents. The infectious attachment
that Sircam sends consists of the worm dropper and installer,
to which it appends a document (or spreadsheet, picture,
or archive) taken from the sender’s hard drive. Sircam
also has a destructive payload that attempts deleting all
files from the C: drive on October 16, as well as accasionally
filling all free space on the C: drive.
Self protection: InVircible users are inherently
protected from Sircam and like. Private users should especially
pay attention to messages issued by the IV startup queue
monitor. A new item unexpectedly installed in the startup
queue is almost surely a Trojan, worm, or hacking tool,
and should be discarded prior to restarting Windows. Corporate
users are taken care of through centralized monitoring and
control, provided by the new real time IV Command and Control
module. System administrators that haven't yet installed
the module are urged to do so without delay.
Removal: Either run xSircam directly from the web
server, or locally, from Windows' desktop, after having
saved the download file to disk. Restart Windows immediately
after having run the Sircam cleaner program. Running xSircam
a second time after having restarted Windows may be required,
to get rid of all residues that the worm left on the computer.
Be warned! The removal of the Sircam files with some AV
products (not IV) may leave the computer with inoperable
Windows (applications will not run!). In which case, you
can still use the following method to restore functionality
of the operating system:
Under Windows 95/98 and Me: Download MakeResq
and
xSircam to your desktop, then rename makeresq.exe
to makeresq.com. Insert a newly formatted and empty diskette
in drive A: and run makeresq.com by double clicking the
icon. This will create a bootable rescue floppy for your
computer. Copy xsircam.com to the floppy when done. Reboot
the computer now from the floppy, and run XSIRCAM
from it when at the A: prompt. Restart the computer and
Windows should resume full operation.
Under Windows 2000/XP: Download
xSircam to your desktop, then restart Windows into
safe mode (press F8 several times when the computer restarts
and select Safe mode from the multiboot menu). When in safe
mode, run XSIRCAM from the desktop a couple of times. Reboot
and all should be well.
©NetZ Computing manufacturers of InVircible
Back
