Home / malware

PDF

I-Worm.Sircam

First posted on 21 November 2011.
Source: BitDefender

Aliases :

I-Worm.Sircam is also known as W32.Sircam.Worm@mm, W32/SirCam@mm, Backdoor.SirCam.

Explanation :

I-Worm.Sircam.A is an Internet and network worm similar to I-Worm.Magistr.A. The virus spreads through e-mail using its own SMTP routine, sending itself to addresses from the Address Book and from cache or through the shared directories.

It is transmitted through a message with a randomly chosen subject and body, in the form of a combination between the virus infection routine and a file chosen randomly from My Documents.

The original name of the file is kept, but an executable extension is added (.pif, .exe, .lnk).

Users who do not have the option to see attachment extensions activated, will only see the original extension and can be easily fooled.

The body message is as follows:
Subject: Document file name (without extension)
From: [user_of_infected_machine@prodigy.net.mx]
To: [random@email.from.address.book]

Hi! How are you?
I send you this file in order to have your advice

or:

I hope you can help me with this file that I send
I hope you like the file that I send you
This is the file with the information that you ask for

See you later! Thanks

or, in Spanish:

Subject: Document file name (without extension)
From: [user_of_infected_machine@prodigy.net.mx]
To: [random@email.from.address.book]

Hola como estas ?
Te mando este archivo para que me des tu punto de vista

or:

Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es el archivo con la informacion que me pediste

Nos vemos pronto, gracias.

If the attachment is opened, the worm copies itself in the system directory under the name scam32.exe. It also copies itself into the directory "Recycled" under the name sirc32.exe, which is a hidden file. Then the virus creates the following three keys in the Windows Registry:

HKLMSoftwareMicrosoftWindowsCurrentVersionRun Services

with the value Driver32 = %System%scam32.exe to be accessed when Windows starts, and:

HKLMSOFTWAREClassesexefileshellopencommand

with the value C:Recycledsirc32.exe "%1" %*" for the routine infection to be executed before any other EXE file.

If the virus finds network shared directories, it will try to copy itself into the local Windows directory under the name rundll32.exe. The original file is renamed as run32.exe. If the worm succeeds, it will modify the autoexec.bat file by introducing a new line which will allow it to execute the file previously saved in the Windows directory.

As a "signature" the author added the following strings in the virus in an encrypted form:
[SirCam_2rP_Ein_NoC_Rma_CuiTzeO_MicH_MeX]
[SirCam Version 1.0 Copyright 2001 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico]

Destructive actions:
It sends randomly, as attachment with the viral code, one of the infected system files at the e-mail addresses from the Address Book.
On a random algorithm (one in 20 infected systems), it deletes all files and directories on the root directory C:. This happens on oct. 16 of every year, on the systems using the D/M/Y format for standard date. If the attached file (that generated the infection) contains FA2 without being followed by sc, this destructive action happens regardless of date format.
It slows system performances in one of 50 cases, multiplying a .txt file c:
ecycledsircam.sys
I-Worm.Sircam.A sends confidential information too: it might chose one of your extremely confidential files to attach to its viral code and send to your contacts from the Address Book.

Last update 21 November 2011

 

TOP