SirCam Worm

 Virus Information - SirCam Worm:

SirCam is a mass mailing email worm. This worm will infect Windows systems. SirCam spreads by sending itself to other addresses found in the Windows Address book and temporary internet files.

The worm arrives with the random subject and the body of the mail carries constant first and last line.

First Line: Hi! How are you?
Last Line: See you later. Thanks

The content in between the first line and the last line varies.

Infected mail carries an attachment with a random file name with double extensions. The first extension of the infected attachment carries EXE, DOC, XLS, ZIP and the second extension as PIF, COM, LNK, BAT. When the infected file is run it will be saved to C:\RECYCLED directory as SirC32.exe and updates the registry to load itself whenever any EXE file is executed. To achieve this worm modifies registry at the following location:

Hkey_Classes_Root\exefile\shell\open\command

It modifies value of Default key from "%1"%" to "C:\recycled\SirC32.exe" "%1" %*".

The worm also copies itself in the same name under WINDOWS\SYSTEM directory and creates a registry key at the following location to load itself during next startup.

Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\RunServices

The worm stores the list of various file extensions in a random four letters filename with .DLL extension under MY DOCUMENTS folder. It also collects all the Email addresses from Windows Address book and saves it under WINDOWS\SYSTEM directory in a random filename with extension as .DLL.

Using the built-in SMTP server, worm mails itself to all Email Addresses stored under .DLL file with the file extensions stored in another .DLL file.

It creates a Registry Key to store its information at

HKEY_LOCAL_MACHINE\SOFTWARE\SirCam