Sircam worm

The Sircam worm was first detected in July ’01 and reached worldwide distribution in less than a week. The Sircam worm uses features first seen in here, as well as exploits known from older worms.

Typical signs: Incoming e-mail, whith a subject line that is identical to the file name of the attachment, but without the double extension name. The message body starts with “Hi! How are you?” and the attachment file has a double extension name, for example name.xls.bat, name.zip.lnk, etc. By definition, double extension filenames of e-mail attachments disclose intent to deceit and should be discarded without opening. The presence of a file named SCAM32.EXE in the system directory, and the value 'Driver32' in the startup queue list are clear indications that Sircam is active on that computer!

Distribution: The main distribution channel outside the enterprise is e-mail. In the network environment, Sircam spreads even faster through open shares. Sircam uses its own SMTP engine for sending copies of itself and doesn't depend on Outlook for e-mailing, as in previous worms. Another feature that makes Sircam such a "success" is the methods it uses to harvest e-mail addresses to which it sends its spawns. The recipients of the infected e-mail are picked from the WAB files (Windows address book), as well as from the Internet cache files. In result, anyone that may have his/her e-mail address in a page that you occasionally browsed, may receive the files that Sircam took from your disk, if you happen to be infected.

Payload and risks: The most annoying aspect of Sircam is the leaking of sensitive documents. The infectious attachment that Sircam sends consists of the worm dropper and installer, to which it appends a document (or spreadsheet, picture, or archive) taken from the sender’s hard drive. Sircam also has a destructive payload that attempts deleting all files from the C: drive on October 16, as well as accasionally filling all free space on the C: drive.

Self protection: InVircible users are inherently protected from Sircam and like. Private users should especially pay attention to messages issued by the IV startup queue monitor. A new item unexpectedly installed in the startup queue is almost surely a Trojan, worm, or hacking tool, and should be discarded prior to restarting Windows. Corporate users are taken care of through centralized monitoring and control, provided by the new real time IV Command and Control module. System administrators that haven't yet installed the module are urged to do so without delay.

Removal: Either run xSircam directly from the web server, or locally, from Windows' desktop, after having saved the download file to disk. Restart Windows immediately after having run the Sircam cleaner program. Running xSircam a second time after having restarted Windows may be required, to get rid of all residues that the worm left on the computer.

Be warned! The removal of the Sircam files with some AV products (not IV) may leave the computer with inoperable Windows (applications will not run!). In which case, you can still use the following method to restore functionality of the operating system:

Under Windows 95/98 and Me: Download MakeResq and xSircam to your desktop, then rename makeresq.exe to makeresq.com. Insert a newly formatted and empty diskette in drive A: and run makeresq.com by double clicking the icon. This will create a bootable rescue floppy for your computer. Copy xsircam.com to the floppy when done. Reboot the computer now from the floppy, and run XSIRCAM from it when at the A: prompt. Restart the computer and Windows should resume full operation.

Under Windows 2000/XP: Download xSircam to your desktop, then restart Windows into safe mode (press F8 several times when the computer restarts and select Safe mode from the multiboot menu). When in safe mode, run XSIRCAM from the desktop a couple of times. Reboot and all should be well.

Users that are new to InVircible are advised to install the software to prevent infections in the first place, and stay clean.

Sircam related story in Newsbytes

Last modified: 15 Jan 2003