Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/SirCam@mm

Overview

Threat Risk LOW LOW
Destructivity HIGH HIGH
Payload May delete all files on the C: drive
Detection files published 18 Jul 2001 03:00:00
Description created 19 Jul 2001 03:00:00
Description updated 26 Feb 2003 03:46:00
Malware type WORM
Alias
Spreading mechanism NETWORK
Summary None

W32/SirCam@mm

Spreading

This is a massmailing email worm. Once executed, it will make two initial copies of itself - one as \SCam32.DLL and one in the \RECYCLED\SIrc32.EXE. It sends itself to all users in the Windows Address Book and to other addresses found in temporary internet files. It also searches for shared drives and copies itself to those that it finds and gets access to.

Mail

When the worm is received over email, it will normally appear as a file with double extension, like .doc.com, .xls.pif, etc. The last extension will be one of the following : COM, EXE, BAT, PIF, LNK.

The worm executable is really prepended to a document, spreadsheet, or zip file from an infected person. That file will be written to disk and opened when the worm is executed so it seems like the mail contained an innocent attachment. This functionality may cause sensitive user data to be sent out.

The subject line contains only the file name of the attached file. Depending on language versions, the message body will be in English or Spanish.

The message body is composed of several lines that is slightly randomly mixed.

Spanish:



Hola como estas ?
Te mando este archivo para que me des tu punto de vista
Espero te guste este archivo que te mando

Espero me puedas ayudar con el archivo que te mando
Este es el archivo con la informacion que me pediste
Nos vemos pronto, gracias.

English:



Hi! How are you?
I hope you can help me with this file that I send
I send you this file in order to have your advice
I hope you like the file that I sendo you
This is the file with the information that you ask for
See you later. Thanks


Shared drives

As mentioned above the worm copies itself over shared network drives as well. In those cases it copies the SIRC32.EXE file to the remote drive, and also, if possible, replaces the RUNDLL32.EXE on the remote machine with itself. The original RUNDLL32.EXE is copied to RUN32.EXE. The second time the worm gets executed it will copy the infected RUNDLL32.EXE to RUN32.EXE so the original copy of RUNDLL32.EXE will be overwritten with an SirCam infected file. The original RUNDLL32.EXE will then have to be restored from a backup or from another computer. It may also copy itself to other file names. It may also attempt to add a reference to itself in the AUTOEXEC.BAT file.

Payload Details

This worm can be rather destructive. The destructive routine attempts to activate October 16th, and will in some cases delete all files on the C: drive.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:12