d[011118] x[Kiviaho Allan] z[KivA interlng cool]
s[Interlinguistas! Un altere alarma de virus! Sircam]

[log in to unmask]
[log in to unmask]

Car camaradas interlinguistas!

Io suppone que le computator de Ingvar Stenström es
nunc pur de virus "BadTrans".

Es un altere virus que ha attaccate e.g. me plure
vices, le ultime vice deman:

_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_

Ecce le message que io recipeva hodie analysate in le modo DOS

From - Sun Nov 18 07:19:50 2001
Return-Path: <[log in to unmask]>
Received: from mail.accessnet.ro ([193.178.171.201])
          by fep01-app.kolumbus.fi
          (InterMail vM.5.01.03.08 201-253-122-118-108-20010628)
with ESMTP id
<[log in to unmask]>
          for <[log in to unmask]>; Sat, 17 Nov 2001 10:55:29
+0200
Received: from monitorizare.ines.ro (intranet-cl-10.intranet
[192.168.1.10])
     by mail.accessnet.ro (8.9.3/8.9.3/Debian 8.9.3-21) with SMTP id
LAA00766
     for <[log in to unmask]>; Sat, 17 Nov 2001 11:01:09 +0200
Message-Id: <[log in to unmask]>
X-Authentication-Warning: mail.accessnet.ro: Host
intranet-cl-10.intranet [192.168.1.10] claimed to be
monitorizare.ines.ro
From: "Radu Pavaloiu"<[log in to unmask]>
To: [log in to unmask]
Subject: taper206
date: Sat, 17 Nov 2001 10:58:53 +0200
MIME-Version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
Content-Type: multipart/mixed;
boundary="----5EAB8378_Outlook_Express_message_boundary"
Content-Disposition: Multipart message
X-Mozilla-Status: 8009
X-Mozilla-Status2: 00000000
X-UIDL: <[log in to unmask]>

------5EAB8378_Outlook_Express_message_boundary
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: message text

Hi! How are you=3F

I send you this file in order to have your advice

See you later=2E Thanks

------5EAB8378_Outlook_Express_message_boundary
Content-Type: application/mixed; name=taper206.zip.pif
Content-Transfer-Encoding: base64
Content-Disposition: attachment;  filename=taper206.zip.pif
------5EAB8378_Outlook_Express_message_boundary

- - - delite, conteneva probabilemente un virus
(Allan Kiviaho 2001-11-18)

------5EAB8378_Outlook_Express_message_boundary--

_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_

S i a   a l e r t e

pro omne files attachate, specialmente files que
contene "PIF" in lor nomine. Le nomine attachate
supra era:

taper206.zip.pif

Le textos que iste virus invia, son:

=============================================
Sircam
ALIAS: I-Worm.Sircam, W32.Sircam, W32/SircCam
=============================================

Le virus invia le sequente texto:

Hi! How are you?
I send you this file in order to have your advice

o

I hope you can help me with this file that I send

o

I hope you like the file that I sendo you

o

This is the file with the information that you ask
for

See you later. Thanks

Si le systema de operation de tu computator es in
espaniol, le textos son:

Hola como estas ?

Te mando este archivo para que me des tu punto de
vista

o

Espero me puedas ayudar con el archivo que te mando

o

Espero te guste este archivo que te mando

o

Este es el archivo con la informaci n que me
pediste

Nos vemos pronto, gracias.

- - -

Iste virus es bastante periculose (grado "5", illo
pote plenar tote le disco dur).

Ha alicuno de vos aperite iste file attachate?

Hodie io recipeva le prime vice un grande file
(0.5 megaoctettos como zipate) attachate con le
virus que io naturalmente deleva.

- - -

Ecce le instructiones del F-Secure (forsan le
dominante firma anti-virus in le mundo):

F-Secure Virus Descriptions

NAME:
Sircam
ALIAS:
I-Worm.Sircam, W32.Sircam, W32/SircCam

Our tool to automatically remove the Sircam worm can
be downloaded from:
ftp://ftp.europe.f-secure.com/anti-virus/tools/antisirc.exe

For more information on what the tool does, see the
README file:

ftp://ftp.europe.f-secure.com/anti-virus/tools/antisirc.txt

INFORMATION ON THE SIRCAM WORM

Sircam is a mass mailing e-mail worm with the ability
of spreading through Windows Network shares. The worm's body
is 137216 bytes long but when it comes as an e-mail
attachment, it larger in size due to a document that is
attached to its body.

Sircam sends e-mails with variable user names and
subject fields, and attaches user documents with double
extensions (such as .doc.pif or .xls.lnk) to them.

When the worm runs on a clean system it copies itself
to different locations with different names:

1. The worm copies itself as 'SirC32.exe' to
\Recycled\ folder. The default EXE file startup Registry
key:

[HKCR\exefile\shell\open\command]

is changed to '""[windows_drive]\recycled\SirC32.exe"
"%1" %*"'. This is done to activate a worm's
copy every time an EXE file is started. Since the
recycled folder name is hardcoded the worm does
not work on machines with NTFS filesystem. Most
Windows NT and 2000 systems are installed on
NTFS.

2. The worm copies itself as 'SCam32.exe' in the
System directory. The worm then creates a
startup key for this file in the Registry to be
started during all Windows sessions:

[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Driver32" = "<windows_system_dir_name>\SCam32.exe"

3. The worm copies itself as 'rundll32.exe' file to
Windows directory. The original 'rundll32.exe' file is
renamed to 'run32.exe'. This copy exists only if a
computer got infected through a network share
(see below).

4. Sometimes (once out of 33 cases) the worm places
its copy to Windows directory with the
'ScMx32.exe' name. In this case another copy of the
worm is created in the current user's personal
startup folder as 'Microsoft Internet Office.exe'.
This copy will be started when a user who got
infected logs into a system.

When a Sircam-infected e-mail attachment is opened it
shows the document it picked up from the
sender machine's. The file is displayed with the
appropiate program according to it's extension:

'.DOC': WinWord.exe or WordPad.exe
'.XLS': Excel.exe
'.ZIP': winzip.exe

This effectively disguises the worm's activity. While
the user is checking the document the system
get infected (as described above).

The worm uses Windows Address Book to collect e-mail
addresses ('*.wab files). The worm also
tries to look for e-mail addresses in \Temporary
Internet Files\ folder ('sho*', 'get*', 'hot*', '*.html'). If a
user has a working e-mail account the worm reads the
its setting. Otherwise the
'[username]@prodigy.mx.net' is used as the default
sender's address and 'prodigy.net.mx' is used
for the SMTP server name. The worm has its own SMTP
engine and it sends out messages using
this engine.

The worm collects a list of files with certain
extensions ('.DOC', '.XLS', '.ZIP') into fake DLL files
named 'sc*.dll'.
The worm then sends itself out with
one of the document files it found in a users's
'My Documents' folder.

Messages sent by Sircam look like this:


From: [user@address]
To: [user@address]
Subject: [document name without extension]

Hi! How are you?

'I send you this file in order to have your advice'

or

'I hope you can help me with this file that I send'

or

'I hope you like the file that I sendo you'

or

'This is the file with the information that you ask
for'

See you later. Thanks

If a system's language is set to Spanish the worm
sends messages in Spanish:

Hola como estas ?

'Te mando este archivo para que me des tu punto de
vista'

or

'Espero me puedas ayudar con el archivo que te mando'

or

'Espero te guste este archivo que te mando'

or

'Este es el archivo con la informaci n que me
pediste'

Nos vemos pronto, gracias.

The attached file has the name of a picked document
file with a double extension like '.DOC.EXE',
'.XLS.PIF'. The '.COM', '.BAT', '.PIF' and '.LNK' are
used as second (executable) extensions. Since
the worm can pick any of the user's personal document
it migh send out confidential information.

This worm also uses Windows network shares to spread.
When doing this, it first enumerates all
the network shares available to the infected
computer. If there there is a writeable \recycled\ folder
on a share, a copy of the worm is put to
\\[share]\recycled\' folder as 'SirCam32.exe' file. The
\\[share]\autexec.bat file is appended with an extra
line: '@win \recycled\SirC32.exe', so next time
when an infected computer is rebooted the worm will
be started. The worm also copies itself as
'rundll32.exe' file to Windows directory of a remote
system. The original 'rundll32.exe' file is copied
to 'run32.exe' before that.

Payloads

The worm has two payloads. On 16th of October in one
case out of 20 it deletes everything from the
drive where Windows is installed. On any other day in
one of 50 cases it fills up the drive where
Windows is installed. In this case it creates a file
called '<windows drive>:\recycled\sircam.sys' and
continuosly fills it with one of below given text
strings until the hard drive space is consumed.

'[SirCam_2rP_Ein_NoC_Rma_CuiTzeO_MicH_MeX]'

or

'[SirCam Version 1.0 Copyright  2001 2rP  Made in /
Hecho en
- Cuitzeo, Michoacan Mexico]'

Fortunately none of these payloads work due to bugs
in the trigger routine. The random number
generator in not initialized in the beginning so the
worm will not activate it's payloads on 16th of
October or on any other day.

Removal instructions:

If your system is infected with the worm first please
download this REG file and install it (by
double-clicking on it):

ftp://ftp.europe.f-secure.com/anti-virus/tools/sirc_dis.reg

This will remove the worm's reference from the EXE
file startup key and the main worm's startup key
in the Registry.

Warning! The system might become unusable if the
worm's file is deleted without modifying the EXE
file startup key first.

After that the system can be safely disinfected with
F-Secure Anti-Virus. If for some reason the
worm's file can't be deleted from Windows (locked
file), then you have to exit to pure DOS and
delete the worm's file manually or use a DOS-based
scanner (F-Prot for DOS for example). Note
that for 100% disinfection all worm's files needs to
be deleted and Registry should be fixed (see
above).

Additional Note: If a workstation was infected trough
a network share '\windows\run32.exe' has to be
renamed back to '\windows\rundll32.exe' after
disinfection.

The extra line in 'autoexec.bat' file that starts the
worm from \recycled\ folder should be removed
also.

Network infection prevention:

If a network is infected and it is not possible to
take it down to disinfect all workstations, the
following method can prevent the worm from spreading
to clean workstations:

In the \Recycled\ folder of a drive where Windows is
installed, it is needed to create a dummy file
with SIRC32.EXE name and read-only attribute.

[Analysis: Gergely Erdelyi, Alexey Podrezov; F-Secure
Corp.; July 18-23, 2001]

- - -

Salutante

Allan Kiviaho, virologo h.c.

=============================================
Kiviaho Allan
SILY - Suomen Interlinguayhdistys ry.
FILF - Föreningen för Interlingua i Finland
AFIL - Association Finlandese pro Interlingua
Kivimäentie 16 E. FIN-01620 VANTAA. Finlandia
[log in to unmask]
http://www.kolumbus.fi/allkiv
http://www.interlingua.dk/2001.htm
http://www.interlingua.com
Tel. + 358 - 09 - 898 720
GSM  + 358 - 050 - 3616 759
=============================================

Morte a viri!