-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=- -= An Introduction to the Sircam Worm =- -= By Manic Velocity =- -= manicvelocity@crapmail.com =- -= http://www.2600slc.org =- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= I'm sure most of you, by now, have heard about the SirCam virus. This article is for those who haven't heard of it, or those who haven't taken the time to learn more about it. (Shame on you). Being a Mac user, I haven?t really had the opportunity to have my system infected in order experience it for myself. But I'll try to explain what I know as best I can. What SirCam Is: The SirCam virus is a virus and a worm. It multiplies as a worm does, and it causes damage to a system as a virus does. It enters the system when a user opens a certain e-mail attachment. The e-mail reads, "Hi! How are you? I send you this file in order to have your advice. See you later! Thanks." This message is also known to be written in spanish. What SirCam Does: SirCam is programmed to replicate and send itself to everyone in your address book. Unlike most email virii, SirCam does not take advantage of Microsoft Outlook, it uses it's own SMTP function in order to utilize any email program you use. Whenever SirCam is run, (which could be quite often on any system), it computes a random number which has a 1 in 33 chance of generating enough random text to over load the system's hard drive. When the computer?s calendar hits October 16th, SirCam then computes a random number which has a 1 in 20 chance of deleting all the files on the hard drive. SirCam scans the My Documents folder and makes a list of all the documents in it. It selects a random file from the folder, attaches that file to an email along with a copy of SirCam. The file usually contains a double extension making it look like this, "resume.doc.exe" or "paris.jpg.exe". The subject of the email is the name of the infected file, and since it selects a random file from every computer it infects, SirCam is able to change its identity with every email it sends. How SirCam Works: When a system is infected, SirCam copies itself to "c:\Recycled\SirC32.exe", (this is how it's able to bypass most anti-virus software because they usually do not scan the "recycled" directory), and as "SCam 32.exe" in the Windows system directory. SirC32.exe is registered as a default startup command for all executable files. Meaning SirC32.exe will run whever any executable file is run. On top of that, it's also registered as a driver, so it?s run whenever the system is booted up. Removal: SirCam can't be removed by simply taking its files off the infected computer. The system's .exe file startup key must be edited first. (Don't ask me how, I'm just a simple Mac user). A tool has been developed to help protect systems from SirCam. It can be downloaded at: http://www.f-secure.com/v-descs/sircam.shtml If you haven't been infected...yet, and want to make sure that you never are, the following are a few of my own suggestions on how to prevent SirCam, or any virus/trojan from entering your system: 1. If you receive an email with an attachment, scan it with everything you have, McAffee, Norton, EVERYTHING. 2. Immediately delete any attachment with a double extension (.doc.exe, .zip.exe, etc.) 3. If you receive an email with an attachment, don't open it until you talk to the person who sent it to you. Ask them about the attachment. If they don't know what you are talking about, delete it. 4. Don't use email and be stuck in the twentieth century. Conclusion: SirCam is the next big virus after the "I Love You" virus. Although the love bug was written by a virus generator, SirCam apparently is very sophisticated. As of me writing this, it has reached number one on Trend Micros' Top Ten Virus Threats map. Some coder sure knows their shit! The last thing most of you need is a lecture on being warry of attachments in your email. So I'm just going to say thanks to whoever took the time to read this. If you have any further info on SirCam, I would greatly appreciate it. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=- © 2600SLC.ORG 2001 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-