Hello

Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: Can I please have your advice virus  (Read 751 times)

Offline soundifound
  • Disconnected
  • Hero Member
  • *****
  • Posts: 808
  • Karma: +10/-0
Can I please have your advice virus
« on: July 25, 2001, 06:11:03 PM »
How many times have you gotten it?  I\'ve gotten 3 times already and its damn annoying.  I got it a week ago before it spread and was fortunate enough not to open the attachment.
Perspective pries your once weighty eyes and it gives you wings

Offline soundifound
  • Disconnected
  • Hero Member
  • *****
  • Posts: 808
  • Karma: +10/-0
Can I please have your advice virus
« Reply #1 on: July 25, 2001, 06:18:22 PM »
Correction, I\'ve just gotten two more!  Here\'s what it says.  So be careful if you get one.

Hi! How are you?
 
I send you this file in order to have your advice
 
See you later. Thanks
Perspective pries your once weighty eyes and it gives you wings

Offline Samwise
  • Moderator
  • Legendary Member
  • ******
  • Posts: 12129
  • Karma: +10/-0
    • http://151.200.3.8/~vze29k6v/you.html
Can I please have your advice virus
« Reply #2 on: July 26, 2001, 12:17:59 AM »
Heh, I don\'t care about those vira, as long as it\'s in attachments. I never ever ever open anything from people I don\'t know (and I don\'t open anything from people I know, if I can\'t see what the file is about). I\'m sorry to say, but these vira spreads because of stupid people. :D

Oh, and it helps not being American/English as well. I don\'t have many Danish friends writing to me for advice in English. :laughing:
RRRRRRRRRRRRRRRRRRAPETIME!
(thanks Chizzy!)

Offline AlteredBeast
  • Old Member
    \"Knows his stuff,
    and yours too!\"

  • Legendary Member
  • ******
  • Posts: 3241
  • Karma: +10/-0
    • http://www.sega.com
Can I please have your advice virus
« Reply #3 on: July 26, 2001, 05:41:31 PM »
Yes JC632X, you may have my advice.


Virus Jacob
A funny gesture.

Offline Aaron
  • MODERATOR

  • Legendary Member
  • ******
  • Posts: 2210
  • Karma: +10/-0
    • http://www.espn.com
Can I please have your advice virus
« Reply #4 on: July 26, 2001, 06:11:15 PM »
Idiots send it to me three or four times a day. Between all of my addresses that are posted at sites that I work at, it\'s driving me nuts.

Offline AlteredBeast
  • Old Member
    \"Knows his stuff,
    and yours too!\"

  • Legendary Member
  • ******
  • Posts: 3241
  • Karma: +10/-0
    • http://www.sega.com
Can I please have your advice virus
« Reply #5 on: July 26, 2001, 06:14:47 PM »
I subscride to nothing.

I check my mail once a week, if that. Nobody knows my email addy (razzyfantasticat@sega.net , BTW) so the only mail I get is from UGTZ members, SonyFan, Sega, my SMS BBS, and my ebay late payment notices.


Eric Jacob
A funny gesture.

  • Guest
Can I please have your advice virus
« Reply #6 on: July 26, 2001, 07:01:34 PM »
Wow, I just found an alert about that virus you are talking about.   It\'s a nasty little bugger (or worm, in this case).

This worm, which was found in the wild in the USA on July 17, has continued to propagate itself in one of two ways. First, this worm spreads itself via an e-mail attachment. The worm uses Windows Address Book to collect e-mail addresses (\'*.wab files). The worm also tries to look for e-mail addresses in \\Temporary Internet Files\\ folder (\'sho*\', \'get*\', \'hot*\', \'*.html\'). If a user has a working e-mail account the worm reads its setting. Otherwise the \'[username]@prodigy.mx.net\' is used as the default sender\'s address and \'prodigy.net.mx\' is used for the SMTP server name. The worm has its own SMTP engine and it sends out messages using this engine. The worm also collects a list of files with certain extensions (\'.DOC\', \'.XLS\', \'.ZIP\') into fake DLL files named \'sc*.dll\'. The worm then sends itself out with one of the document files it found in a user\'s \'My Documents\' folder. The attached file has the name of a picked document file with a double extension like \'.DOC.EXE\', \'.XLS.PIF\'. The \'.COM\', \'.BAT\', \'.PIF\' and \'.LNK\' are used as second (executable) extensions. Since the worm can pick any of the user\'s personal documents it might send out confidential information.

This worm arrives as an email message with the following content:

Subject: The subject of the email will be random, and will be the same as the file name of the email attachment. Attachment: The attachment is a file taken from the sender\'s computer and will have the extension .bat, .com, .lnk or .pif added to it.

Message: The message body will be semi-random, but will always contain one of the following two lines (either English or Spanish) as the first and last sentences of the message.

Spanish Version:
First line: Hola como estas ?
Last line: Nos vemos pronto, gracias.

English Version:
First line: Hi! How are you?
Last line: See you later. Thanks

Between these two sentences, some of the following text may appear:

Spanish Version:
Te mando este archivo para que me des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es el archivo con la informaci=n que me pediste

English Version:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I sendo you
This is the file with the information that you ask for

When a SirCam-infected e-mail attachment is opened it shows the document it picked up from the sender\'s machine. The file is displayed with the appropriate program according to its extension:

\'.DOC\': WinWord.exe or WordPad.exe
\'.XLS\': Excel.exe
\'.ZIP\': winzip.exe

This effectively disguises the worm\'s activity. While the user is checking the document the system get infected Lastly, the worm can also spread via Windows network shares. When doing this, it first enumerates all the network shares available to the infected computer. If it is able to write to the \\recycled\\ folder on a share, a copy of the worm is put to \\\\[share]\\recycled\\\' folder as \'SirCam32.exe\' file. The \\\\[share]\\autoexec.bat file is appended with an extra line: \'@win \\recycled\\SirC32.exe\', so next time when an infected computer is rebooted the worm will be started. The worm also copies itself as \'rundll32.exe\' file to Windows directory of a remote system. The original \'rundll32.exe\' file is copied to \'run32.exe\' before that.


Virus Impact:

The virus will search through select folders and could mail potentially sensitive files.
There is a probability that it will create a file named C:\\Recycled\\SirCam.sys which consumes all free space on the C: drive. A full disk will prevent users from saving files to that drive, and in certain configurations impede system-level tasks (e.g., swapping, printing).
W32/SirCam will attempt to propagate by sending itself through email to addresses obtained as described above. This propagation can lead to congestion in mail servers that may prevent them from functioning as expected. NOTE: Since W32/SirCam uses native SMTP routines connecting to pre-defined mail servers; propagation is independent of the mail client software used.
Reports indicate that on October 16 there is a reasonable probability that W32/SirCam will attempt to recursively delete all files from the drive on which Windows is installed (typically C:)



EWWWWWWWW, that\'s a bad one!  (If you have Norton Anto-Virus, make sure your definitions aree up to date, I checked and this one is in it\'s "list" of viruses to check for.)

Offline Bjorn


  • The Boss
  • Sr. Member
  • ****
  • Posts: 397
  • Karma: +10/-0
Can I please have your advice virus
« Reply #7 on: July 27, 2001, 12:41:39 AM »
I have recevied a few hundreds of those mails :/
Must be because the virus (worm) send mails to mail addresses in cached files, and a few thousand peeps probably got my mail address in a cached web page :|

Offline soundifound
  • Disconnected
  • Hero Member
  • *****
  • Posts: 808
  • Karma: +10/-0
Can I please have your advice virus
« Reply #8 on: July 27, 2001, 08:10:15 AM »
Its a ***** for me because I have to download them on my crappy 56k and then delete them.  I just got a 2 MEG one today.  Is there a way I can cancel it before it is done downloading (outlook express)?
Perspective pries your once weighty eyes and it gives you wings

Offline Samwise
  • Moderator
  • Legendary Member
  • ******
  • Posts: 12129
  • Karma: +10/-0
    • http://151.200.3.8/~vze29k6v/you.html
Can I please have your advice virus
« Reply #9 on: July 28, 2001, 02:10:49 AM »
You can set up filters with Outlook. I can\'t quite remember how, but you can set certain criteria and then do stuff to the mails that meet those criteria (like "delete any mails with \'need your advice\' in subject" or whatever).
RRRRRRRRRRRRRRRRRRAPETIME!
(thanks Chizzy!)

 

SMF spam blocked by CleanTalk