W32/Sircam-A

Category: Viruses and SpywareProtection available since:18 Jul 2001 00:00:00 (GMT)
Type: Win32 wormLast Updated:18 Jul 2001 00:00:00 (GMT)
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Sircam-A is a network-aware worm. The worm spreads via email and by using open network shares. The worm arrives in an email with a random subject which is identical to the attached filename.

W32/Sircam-A email

The attached filename is also randomly chosen, but it has a double extension (for instance, .doc.com or .mpg.pif).

If the attachment is opened, the worm copies itself into the Windows System directory with the filename scam32.exe. The worm also copies itself as a file called sirc32.exe to the Recycled files directory with its file attributes set to hidden.

The worm changes the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\Driver32 so that it runs on Windows startup. The registry key HKCR\exefile\shell\open\command is also changed so that the worm runs before any other executable file is opened.

The worm uses the registry key HKLM\Software\SirCam to save data used internally by the worm code.

If the worm finds any open network share, it will attempt to copy itself into the Windows directory on the machine with an open share, with the filename rundll32.exe. The original rundll32.exe file is renamed to run32.exe. If this is successful, the worm changes the file autoexec.bat so that it includes a command to run the worm file previously dropped to the C:\recycled directory.

The worm contains its own SMTP routine which is used to send email messages to email addresses found in the Windows address book and the temporary internet folder, where cached internet files are kept.

Depending on the operating system default language every email message sent by the worm will always contain identical first and last lines.

If the default language is English, the first line of the message will be:

"Hi! How are you?"

It then chooses one of the following four sentences as the next line of the message:

"I send you this file in order to have your advice"

"I hope you like the file that I sendo you"

"I hope you can help me with this file that I send"

or

"This is the file with the information you ask for"

The last line of the message always reads:

"See you later. Thanks".

If the default language is Spanish, the first line of the message will be:

"Hola como estas ?"

It then chooses one of the following four sentences as the next line of the message:

"Te mando este archivo para que me des tu punto de vista"

"Espero te guste este archivo que te mando"

"Espero me puedas ayudar con el archivo que te mando"

or

"Este es el archivo con la informacion que me pediste"

The last line of the message always reads:

"Nos vemos pronto, gracias.".

The worm contains a number of destructive payloads.

There is a 1 in 50 chance that the virus will create a file called Sircam.sys in the Recycled directory (usually found at c:\recycled) which is filled with one of two phrases:

[SirCam_2rp_Ein_NoC_Rma_CuiTze0_MicH_MeX]

or

[SirCam Version 1.0 Copyright - 2000 2rP Made in / Hecho en -Cuitzeo, Michoacan Mexico]

until there is no hard disk space remaining.

The virus contains a destructive payload that can be activated if one of the standard files W32/Sircam drops (for instance, Sirc32.exe or Scam32.exe) is renamed and then launched.

The virus author also intended this payload to trigger on 16 October, with a 1 in 20 chance, if the infected computer's date settings had been set to display date in dd/mm/yyyy format (for instance, 16/10/2001). However, because of a bug in the virus code this date payload is not activated.