Wow, I just found an alert about that virus you are talking about. It\'s a nasty little bugger (or worm, in this case).
This worm, which was found in the wild in the USA on July 17, has continued to propagate itself in one of two ways. First, this worm spreads itself via an e-mail attachment. The worm uses Windows Address Book to collect e-mail addresses (\'*.wab files). The worm also tries to look for e-mail addresses in \\Temporary Internet Files\\ folder (\'sho*\', \'get*\', \'hot*\', \'*.html\'). If a user has a working e-mail account the worm reads its setting. Otherwise the \'[username]@prodigy.mx.net\' is used as the default sender\'s address and \'prodigy.net.mx\' is used for the SMTP server name. The worm has its own SMTP engine and it sends out messages using this engine. The worm also collects a list of files with certain extensions (\'.DOC\', \'.XLS\', \'.ZIP\') into fake DLL files named \'sc*.dll\'. The worm then sends itself out with one of the document files it found in a user\'s \'My Documents\' folder. The attached file has the name of a picked document file with a double extension like \'.DOC.EXE\', \'.XLS.PIF\'. The \'.COM\', \'.BAT\', \'.PIF\' and \'.LNK\' are used as second (executable) extensions. Since the worm can pick any of the user\'s personal documents it might send out confidential information.
This worm arrives as an email message with the following content:
Subject: The subject of the email will be random, and will be the same as the file name of the email attachment. Attachment: The attachment is a file taken from the sender\'s computer and will have the extension .bat, .com, .lnk or .pif added to it.
Message: The message body will be semi-random, but will always contain one of the following two lines (either English or Spanish) as the first and last sentences of the message.
Spanish Version:
First line: Hola como estas ?
Last line: Nos vemos pronto, gracias.
English Version:
First line: Hi! How are you?
Last line: See you later. Thanks
Between these two sentences, some of the following text may appear:
Spanish Version:
Te mando este archivo para que me des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es el archivo con la informaci=n que me pediste
English Version:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I sendo you
This is the file with the information that you ask for
When a SirCam-infected e-mail attachment is opened it shows the document it picked up from the sender\'s machine. The file is displayed with the appropriate program according to its extension:
\'.DOC\': WinWord.exe or WordPad.exe
\'.XLS\': Excel.exe
\'.ZIP\': winzip.exe
This effectively disguises the worm\'s activity. While the user is checking the document the system get infected Lastly, the worm can also spread via Windows network shares. When doing this, it first enumerates all the network shares available to the infected computer. If it is able to write to the \\recycled\\ folder on a share, a copy of the worm is put to \\\\[share]\\recycled\\\' folder as \'SirCam32.exe\' file. The \\\\[share]\\autoexec.bat file is appended with an extra line: \'@win \\recycled\\SirC32.exe\', so next time when an infected computer is rebooted the worm will be started. The worm also copies itself as \'rundll32.exe\' file to Windows directory of a remote system. The original \'rundll32.exe\' file is copied to \'run32.exe\' before that.
Virus Impact:
The virus will search through select folders and could mail potentially sensitive files.
There is a probability that it will create a file named C:\\Recycled\\SirCam.sys which consumes all free space on the C: drive. A full disk will prevent users from saving files to that drive, and in certain configurations impede system-level tasks (e.g., swapping, printing).
W32/SirCam will attempt to propagate by sending itself through email to addresses obtained as described above. This propagation can lead to congestion in mail servers that may prevent them from functioning as expected. NOTE: Since W32/SirCam uses native SMTP routines connecting to pre-defined mail servers; propagation is independent of the mail client software used.
Reports indicate that on October 16 there is a reasonable probability that W32/SirCam will attempt to recursively delete all files from the drive on which Windows is installed (typically C:)
EWWWWWWWW, that\'s a bad one! (If you have Norton Anto-Virus, make sure your definitions aree up to date, I checked and this one is in it\'s "list" of viruses to check for.)
Topic: Can I please have your advice virus (Read 753 times)