|
|
On July 18, 2001 a new computer worm virus SirCam began sweepingly propagating on the Internet. The virus was first discovered on July 17. Just in few days the SirCam caused a worldwide epidemic, the vastest this year.
The antivirus program Doctor Web has been able to detect the SirCam virus since July 17, i.e. among the first. The epidemic reached Russia much later. The first calls to the technical support service of DialogueScience emerged on July 20. There have been several hundred requests in the last week from the users suffered from the virus's effects.
As in case of any worm virus, mass spread of the SirCam virus increases the load on networks, and especially on postal servers. Besides that, the virus has a destructive function, which consists in deletion of files on the hard disk drive of the infected computer (the function is activated under certain conditions). But the main danger of the SirCam virus is leakage of confidential information. Incidents of transmitting files with commercial, business, and other sensitive information, access to which was denied to common users, have been registered world over.
The point is that the SirCam virus searches on the infected computer for ZIP, DOC, or XLS files, draws one of them at random, and sends this file in the user's name to some e-mail address found on the computer. The virus attaches itself to the posted file. As a result of such a propagation pattern, any file might be mailed from the infected computer without the user's knowledge.
In order to prompt the recipient to open the message, the SirCam virus uses new psychological trick - it puts on a mask of business correspondence. That trick is partly why the virus has proliferated so much.
See more detailed description of the worm virus Win32.HLLW.SirCam below.
To protect yourself from worm viruses, DialogueScience recommends using up-to-date versions of antivirus programs, and the most crucial - handling files received via e-mail warily. At present the e-mail is getting the basic method of spreading new viruses. Just a little caution - and you can save your data from corruption or leakage.
Description of the Win32.HLLW.SirCam virus
This is a worm virus program affecting computers with a Windows operating system. It's propagated by distributing its copies via e-mail. The virus may spread through local networks, thus infecting computers whose disks are set as shared network resources available for writing.
The Win32.HLLW.SirCam sends itself out by e-mail in the following way.
The addresses for the dispatch are obtained by means of scanning contents of some files on the infected computer, where actual e-mail addresses may be found with high probability. For example, these are files of Windows address books, html-files etc.
The text of the message might be either in Spanish or in English, and it appears as follows.
English variant:
The first line: Hi! How are
you?
Then comes a line taken at random from the four possible choices:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I send you
This is the file with the information that you ask for
The final line: See you later. Thanks
Spanish variant:
The first line: Hola como
estas?
Then comes a line taken at random from the four possible choices:
Te mando este archivo para que me des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es el archivo con la informaciуn que me pediste
The final line: Nos vemos pronto, gracias.
The virus attaches itself to the letter in the form of an enclosure with an arbitrary name and a double extension. It may result in something like: "OTCH992A.doc.com", "ANUNCIOS_PRENSA_2001.xls.pif" etc.
The virus puts in the subject line of the letter the name of the attachment with no extension.
There is a following character. Besides the main virus program (about 130Kb), contents of a randomly selected "local" file are added to the mailed file - the virus uses specifically DOC, XLS and ZIP files available on the infected computer. Further on, when launched by the addressee, the virus will attempt to open the added file by one of the corresponding popular programs (EXCEL.EXE, WINZIP.EXE etc.), thus concealing the fact of own initiation. As a side effect such a distributing mechanism may lead to leakage of some confidential information from the infected computer.
To infect the computer where it was launched on, the virus performs the following actions.
(1) It creates its copy with the name Sirc32.exe in the folder C:\Recycled\, and changes the default value of the registry key HKEY_CLASSES_ROOT\exefile\shell\open\command to "C:\recycled\sirc32.exe"%1" %*"
As a result the system begins to regard the program "C:\recycled\sirc32.exe" as essential to run any EXE-file. To reestablish operability of the system after removal of the virus, it's necessary to restore the value of the above registry key (it's ""%1" %*" by default).
Modern versions of the DrWeb for Windows'95-2000 with the latest virus bases' updates installed attempt to perform automatically the required Registry correction when curing the system for this particular virus. If for some reason the auto-correction fails, it will be necessary to perform it manually. You can do it with the registry editor (regedit.exe file in the Windows main folder) - you will have to rename the file to regedit.com in order to be able to launch the editor. Otherwise you can import an appropriate Registry fragment from file opencomm.reg - just open this file (by double clicking it with the left mouse button) to perform the necessary Registry correction on the infected computer.
(2) The virus creates its copy with the name scam32.exe in the Windows system folder and registers it as an auto-launched system service in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\RunServices in the following way: Driver32=%System%\scam32.exe
(3) In a few instances (with very little probability) the virus may also create its copy with the name Scmx32.exe in the Windows folder, as well as with the name "Microsoft Internet Office.exe" in the folder indicated by the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup
To infect computers accessible through a LAN, the virus attempts to carry out the following sequence of actions.
(1) It creates its copy \\<Computer>\Recycled\Sirc32.exe
(2) It adds the line "@win \recycled\sirc32.exe" in the file \\<Computer>\Autoexec.bat
(3) It replaces the file \\<Computer>\Windows\Rundll32.exe with the virus program, though previously copying the original Rundll32.exe under the name Run32.exe.
The virus has a destructive function. This consists in deleting information from the hard disk drives of the infected computer, and is activated with low probability under certain conditions.
July 30, 2001
DialogueScience Information Service
http://www.antivir.ru
E-mail: Antivir@antivir.ru
|
Some other interesting viruses |