Copy Link
Add to Bookmark
Report
An Introduction to the Sircam Worm
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-
-= An Introduction to the Sircam Worm =-
-= By Manic Velocity =-
-= manicvelocity@geeksyndicate.net =-
-= http://www.2600slc.org =-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
I'm sure most of you, by now, have heard about the SirCam virus. This article is for those who
haven't heard of it, or those who haven't taken the time to learn more about it. (Shame on you).
Being a Mac user, I haven?t really had the opportunity to have my system infected in order experience
it for myself. But I'll try to explain what I know as best I can.
What SirCam Is:
The SirCam virus is a virus and a worm. It multiplies as a worm does, and it causes damage to a
system as a virus does. It enters the system when a user opens a certain e-mail attachment. The
e-mail reads, "Hi! How are you? I send you this file in order to have your advice. See you later!
Thanks." This message is also known to be written in spanish.
What SirCam Does:
SirCam is programmed to replicate and send itself to everyone in your address book. Unlike most
email virii, SirCam does not take advantage of Microsoft Outlook, it uses it's own SMTP function
in order to utilize any email program you use. Whenever SirCam is run, (which could be quite often
on any system), it computes a random number which has a 1 in 33 chance of generating enough random
text to over load the system's hard drive. When the computer?s calendar hits October 16th, SirCam
then computes a random number which has a 1 in 20 chance of deleting all the files on the hard drive.
SirCam scans the My Documents folder and makes a list of all the documents in it. It selects a random
file from the folder, attaches that file to an email along with a copy of SirCam. The file usually
contains a double extension making it look like this, "resume.doc.exe" or "paris.jpg.exe". The subject
of the email is the name of the infected file, and since it selects a random file from every computer
it infects, SirCam is able to change its identity with every email it sends.
How SirCam Works:
When a system is infected, SirCam copies itself to "c:\Recycled\SirC32.exe", (this is how it's able to
bypass most anti-virus software because they usually do not scan the "recycled" directory), and as
"SCam 32.exe" in the Windows system directory. SirC32.exe is registered as a default startup command
for all executable files. Meaning SirC32.exe will run whever any executable file is run. On top of that,
it's also registered as a driver, so it?s run whenever the system is booted up.
Removal:
SirCam can't be removed by simply taking its files off the infected computer. The system's .exe file
startup key must be edited first. (Don't ask me how, I'm just a simple Mac user). A tool has been
developed to help protect systems from SirCam. It can be downloaded at:
http://www.f-secure.com/v-descs/sircam.shtml
If you haven't been infected...yet, and want to make sure that you never are, the following are a few of
my own suggestions on how to prevent SirCam, or any virus/trojan from entering your system:
1. If you receive an email with an attachment, scan it with everything you have, McAffee, Norton, EVERYTHING.
2. Immediately delete any attachment with a double extension (.doc.exe, .zip.exe, etc.)
3. If you receive an email with an attachment, don't open it until you talk to the person who sent it to
you. Ask them about the attachment. If they don't know what you are talking about, delete it.
4. Don't use email and be stuck in the twentieth century.
Conclusion:
SirCam is the next big virus after the "I Love You" virus. Although the love bug was written by a virus
generator, SirCam apparently is very sophisticated. As of me writing this, it has reached number one on
Trend Micros' Top Ten Virus Threats map. Some coder sure knows their shit! The last thing most of you
need is a lecture on being warry of attachments in your email. So I'm just going to say thanks to whoever
took the time to read this. If you have any further info on SirCam, I would greatly appreciate it.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-
� 2600SLC.ORG 2001
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-