Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/SirCam

Win32/SirCam is a dangerous worm written in Delphi with a file size of approximately 137 kilobytes.  It is able to spread by means of email through shared drives in local computer networks.
On local computer networks it spreads as follows: it creates its copy with the filename SirC32.exe in the directory \RECYCLED on accessible shared network drives.  Then it ensures its activation on that disk either by adding the text "@win \recycled\SirC32.exe" to the file autoexec.bat or by renaming the file rundll32.exe to run32.exe.  The worm substitutes the original file by its copy located in the directory \RECYCLED.
The worm arrives as a file attachment of an email message.  This file has two extensions and the second one can be pif, com, bat or lnk.  The message has the name of the file in the attachment as its subject . The body of the message contains text in Spanish or in English.  The language in the message body is chosen depending on the preferred language setting.  If Spanish is set as the preferred language the text is in Spanish, otherwise it is in English.  The worm compiles the message randomly from several pre-selected sentences and the first as well as the last line of the text is always the same.  The following texts are used in English:

First sentence: Hi! How are you?
Last sentence: See you later. Thanks
Other possible sentences: I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I sendo you
This is the file with the information that you ask for

In Spanish the following texts are used:

First sentence: Hola como estas ?
Last sentence: Nos vemos pronto, gracias.
Other possible sentences: Te mando este archivo para que me des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es el archivo con la informacion que me pediste

After the file in the attachment is run the worm is activated.  The worm then gets copied with the name Sirc32.exe to the directory C:\RECYCLED and with the name SCam32.exe to the subdirectory \SYSTEM in the directory in which the operating system Windows is installed.  The worm adds an item with the value Driver32=C:\WINDOWS\SYSTEM\SCam32.exe to the system registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices in doing so it ensures its repeated activation.  The worm sets the key HKEY_CLASSES_ROOT\exefile\shell\open\command to the value C:\recycled\SirC32.exe\ "%1\" %*".  By doing so it causes that upon starting any file with the extension EXE the worm copy is started first. In the key HKEY_LOCAL_MACHINE\Software\SirCam the worm keeps some data about the currently attacked computer – e.g. number of the worm executions or name under which it is stored.
The worm has several activating routines.  One of them may cause the deletion of all files on the disk C: on October 16th.  Another creates the file sircam.sys in the directory C:\RECYCLED and will write to it the text [SirCam_2rP_Ein_NoC_Rma_CuiTzeO_MicH_MeX] or [SirCam Version 1.0 Copyright (c) 2001 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico] until there is no free space on the disk.
The worm obtains addresses to which it sends its copy in two ways – from files with the extension wab which contain address books of the email or from some files on the disk.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.