GAMBIA-L Archives

The Gambia and Related Issues Mailing List

GAMBIA-L@LISTSERV.ICORS.ORG
Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Computer Virus Information from a Friend!
From:
Baboucar Kolley <[log in to unmask]>
Reply To:
The Gambia and related-issues mailing list <[log in to unmask]>
Date:
Thu, 2 Aug 2001 13:04:35 -0700
Content-Type:
text/plain
Parts/Attachments:
text/plain (93 lines) 
Greetings, [log in to unmask]

I thought you would be interested in knowing about this computer Virus...

Name: W32/SirCam@MM

Characteristics:
<I>July 23, 2001</I> Due to the increase in samples, the risk assessment
for W32/SirCam@MM has been updated to a HIGH risk.
The 4149 <A
href="http://www.mcafeeb2b.com/naicommon/download/dats/find.asp">DATs</A>
(the full set and incrementals) include scanning of files with the .LNK
extension mentioned below. VirusScan TC and VirusScan 4.51 (corporate)
users can take advantage of this if they are using the default extension
list. All other users, including corporate and retail, must update the
extension list as noted below or SCAN ALL FILES.
<I>July 22, 2001</I> For detection of W32/SirCam@MM, the LNK and PIF
extensions need to be present on the extension list or SCAN ALL FILES must
be chosen.
This mass-mailing virus attempts to send itself and local documents to all
users found in the Windows Address Book and email addresses found in
temporary Internet cached files (web browser cache).
It may be received in an email message containing the following
information:
Subject: [filename (random)] Body: Hi! How are you?
I send you this file in order to have your advice <I>or</I> I hope you can
help me with this file that I send <I>or</I> I hope you like the file that
I sendo you <I>or</I> This is the file with the information that you ask
for
See you later. Thanks
--- the same message may be received in Spanish ---
Hola como estas ?
Te mando este archivo para que me des tu punto de vista <I>or</I> Espero
me puedas ayudar con el archivo que te mando<I>or</I> Espero te guste este
archivo que te mando<I>or</I> Este es el archivo con la información que me
pediste

Nos vemos pronto, gracias.
--- end message ---
Although other message body possibilities are present in the virus, these
aren't actually being generated frequently.
Attached will be a document with a double extension (the filename varies).
The first extension will be the file type which was prepended by the
virus. When run, the document will be saved to the C:\RECYCLED folder and
then opened while the virus copies itself to C:\RECYCLED\SirC32.exe folder
to conceal its presence and create the following registry key value to
load itself whenever .EXE files are executed:
HKCR\exefile\shell\open\command \Default="C:\recycled\SirC32.exe" "%1" %*
<I>As the RECYCLE BIN is often on the exclusion list, check your settings
to insure that this directory IS being scanned.</I>
It also copies itself to the WINDOWS SYSTEM directory as SCam32.exe and
creates the following registry key value to load itself automatically:
HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Driver32=C:\WINDOWS\SYSTEM\SCam32.exe
A list of .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG, .PS, and .ZIP
files in the MY DOCUMENTS folder is saved to the file SCD.DLL (the 2nd
character of the name appears to be random) in the SYSTEM directory. Email
addresses are gathered from the Windows Address Book and temporary
Internet cached pages and saved to the file SCD1.DLL (the 2nd and 3rd
character of the name appears to be random) in the SYSTEM directory.
The worm prepends a copy of the files that are named in the SCD.DLL file
and attaches this copy to the email messages that it sends via a built in
for communicating directly with a SMTP server, using one of the following
extensions: .BAT, .COM, .EXE, .LNK, .PIF. This results in attachment names
having double-extensions. The program creates a registry key to store
variables for itself (such as a run count, and SMTP information):
HKLM\Software\Sircam The virus may also infect other systems by using open
network shares. On remote systems the file \windows\rundll32.exe may get
replaced with a viral copy, while the valid RUNDLL32.EXE file is renamed
to RUN32.EXE. On those systems, the AUTOEXEC.BAT file may be appended with
the line: @win \recycled\sirc32.exe.
Aside from e-mail overloading, it might delete files on 16 October and/or
fill up harddisk space by adding text entries over &amp; over again to a
sircam recycle bin file.

To check your system for this Virus, and to learn how to protect yourself
from computer viruses, visit the McAfee.com Clinic at
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=2103.

For complete information on this Virus, view McAfee.com's Virus
Information Library listing at
http://vil.mcafee.com/dispVirus.asp?virus_k=99141.

This email was sent to you by Babou

----------------------------------------------------------------------------

To unsubscribe/subscribe or view archives of postings, go to the Gambia-L
Web interface at: http://maelstrom.stjohns.edu/archives/gambia-l.html
You may also send subscription requests to [log in to unmask]
if you have problems accessing the web interface and remember to write your full name and e-mail address.
----------------------------------------------------------------------------

ATOM RSS1 RSS2