VIRUS ALERT - Sircam (we've blocked 600+ thus far)

greenspun.com : LUSENET : Current News : One Thread

update those antivirus files kiddies, as another worm is working its way around the internet. This one comes in e-mail (exchange), but I assume it can infect your pc if you are running windows and not running outlook.

Link

Name: W32/Sircam-A

Aliases: W32.Sircam.Worm@mm, W32/SirCam@mm, Backdoor.SirCam

Type: Win32 worm

Detection: Will be detected by Sophos Anti-Virus September 2001 (3.49) or later. A virus identity (IDE) file is available for earlier versions from the Latest virus identities section. Sophos has received many reports of this worm from the wild. Comments: W32/Sircam-A is a network-aware worm. The worm spreads via email and by using open network shares. The worm arrives in an email with a random subject which is identical to the attached filename.

The Sophos Technical Support department has written a batch file which you can use to remove W32/Sircam-A.

The attached filename is also randomly chosen, but it has a double extension (for instance, .doc.com or .mpg.pif).

If the attachment is opened, the worm copies itself into the Windows System directory with the filename scam32.exe. The worm also copies itself as a file called sirc32.exe to the Recycled files directory with its file attributes set to hidden.

The worm changes the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\Driver32 so that it runs on Windows startup. The registry key HKCR\exefile\shell\open\command is also changed so that the worm runs before any other executable file is opened.

The worm uses the registry key HKLM\Software\SirCam to save data used internally by the worm code.

If the worm finds any open network share, it will attempt to copy itself into the Windows directory on the machine with an open share, with the filename rundll32.exe. The original rundll32.exe file is renamed to run32.exe. If this is successful, the worm changes the file autoexec.bat so that it includes a command to run the worm file previously dropped to the C:\recycled directory.

The worm contains its own SMTP routine which is used to send email messages to email addresses found in the Windows address book and the temporary internet folder, where cached internet files are kept.

Depending on the operating system default language every email message sent by the worm will always contain identical first and last lines.

If the default language is English, the first line of the message will be:

"Hi! How are you?"

It then chooses one of the following four sentences as the next line of the message:

"I send you this file in order to have your advice"

"I hope you like the file that I sendo you"

"I hope you can help me with this file that I send"

or

"This is the file with the information you ask for"

The last line of the message always reads:

"See you later. Thanks".

If the default language is Spanish, the first line of the message will be:

"Hola como estas ?"

It then chooses one of the following four sentences as the next line of the message:

"Te mando este archivo para que me des tu punto de vista"

"Espero te guste este archivo que te mando"

"Espero me puedas ayudar con el archivo que te mando"

or

"Este es el archivo con la informacion que me pediste"

The last line of the message always reads:

"Nos vemos pronto, gracias.".

On 16 October there is a 1 in 20 chance that the worm will attempt to delete all files from the hard drive.

Because the virus can spread itself using the .EXE, .COM, .LNK, .PIF and .BAT file extensions Sophos technical support recommend users add LNK and BAT to the list of executable file extensions which Sophos Anti-Virus scans.

-- Anonymous, July 24, 2001

Answers

Why is this one so bad?

Why the SirCam worm is only the beginning for new viruses

Robert Vamosi, Security Expert, ZDNet Help & How-To

While the media was preoccupied with Code Red last weekend, a second major worm was making the rounds. SirCam didn't target the White House, nor did it capitalize on Microsoft's vulnerabilities, nor did it specifically target Outlook. Stealth was just what the virus writer wanted, and under the crush of Code Red's press coverage, that's what SirCam got. Now SirCam is the number one virus in the world.

Jose Nazario, who spoke at this year's Black Hat Security Briefing, is a biochemist who makes biological parallels with computer viruses. The problem with the current group of worms, according to Nazario, is that they are all too highly visible, unable to infect specific targets, and too easily blocked by antivirus vendors. Nazario predicted that future worms will be written with a specific goal in mind, such as infecting a specific large network or spreading a political or hacktivism message within a specific group of industry servers. And they will do so with greater stealth.

NAZARIO SAID that virus writers were getting more sophisticated and are trying to balance spread vs. penetration. The ILOVEYOU worm set off red alerts all over the world in the first five hours of infection, whereas two recent worms, Magistr and SirCam, both spread quietly. Each was able to penetrate a fairly large number of computers within a short period of time without a whole lot of attention.

Magistr and SirCam both use their own SMTP engines. Rather than target systems using Microsoft Outlook e-mail software, these worms can grab e-mail addresses from an infected system and send copies of themselves whether or not an e-mail client is installed on the system. SirCam actually goes one step further by also being "network-aware." It looks for shared resources and attacks networked drives, so many people will be infected with SirCam without ever even seeing the original infected e-mail.

Unlike viruses that need a file or e-mail to spread, worms are themselves on autopilot; they are always on the lookout for new computers to infect. Once they hit a network, they work tirelessly to claim every machine. Nazario predicts that in the future, worms will be even more dynamic. Instead of trying to match specific infection criteria with each computer (as worms do now), these new worms might settle for only two of three criteria for each new infection. If that happens, detecting and removing these worms could get much harder as patterns or signatures become even more difficult to identify.

I RECENTLY SPOKE WITH Joe Hartman, director of North American antivirus research for Trend Micro, Inc., who said one way to guard against network-aware worms like SirCam is to restrict network access, either by restricting open shares altogether or allowing them under certain conditions such as requiring a password. In Windows 2000, you can set permissions on open file shares.

Unfortunately, just cleaning your machine isn't enough--you can still be re-infected with SirCam once you've removed it. If you are on a network system, try to trace back to find out who may have sent you an infected e-mail or an infected file and immediately follow up. Your entire network remains vulnerable until the last trace of SirCam is removed.

We haven't heard the last of Code Red or SirCam, because virus writers build on each other's successes and create endless variations. It's time to batten down the hatches. Update your antivirus program and scan frequently because smarter, better worms are coming. You have been warned.

-- Anonymous, July 25, 2001


Our Email system has stopped several hundred (approaching a thousand) attempts to send us the SirCam worm. Unfortunately, SirCam can also spread using open network shares. If an individual receives the virus from an external ISP or mail service (Hotmail, yahoo, etc.) and it infects that machine, it searches out open shares to infect. Or if an individual's HOME machine is infected and he/she connects to OUHSC through VPN or dial- up the same thing can happen.

THis, I believe, is where we are the most vulnerable. See the article below:

Don't tip your hat to the SirCam worm By Robert Vamosi, Help & How-To

This worm can infect and re-infect networked computers without users even knowing. Find out how to protect your system.

July 18, 2001, revised 7/19/01

SirCam is a sophisticated worm that will infect files shared over an open network so most people will never see the original infected e-mail associated with the worm. SirCam (w32.Sircam@mm) also contains a dangerous payload: It may delete all the files on the C drive in mid October. Antivirus vendors are continuing to examine the worm while reports of infection increase worldwide. SirCam currently ranks as a 6 on the ZDNet Virus Meter.

How it works SirCam initially arrives as an e-mail message with the following information in either English or Spanish:

Subject: (Random)

Body: (Random content--see below)

Attached: (Random)

The body of the e-mail will always begin with "Hi! How are you?" and end with "See you later. Thanks." In between these opening and closing lines will be one of the following:

* I send you this file in order to have your advice * I hope you can help me with this file that I send * I hope you like the file that I send you * This is the file with the information that you ask for

If a user clicks on the attached file, SirCam will copy itself to the Windows System directory with the name scam32.exe. The worm changes the Windows registry key so that it always launches upon system startup. The worm will check to see if there are any open shares on a network and if so, SirCam will copy rundll32.exe to the system, renaming the existing rundll32.exe to run32.exe.

SirCam contains its own e-mail capabilities using SMTP (similar to a feature found in the Magistr virus).

SirCam also spreads among open file shares on a networked system (in other words, if you can access other directories on other machines, that's an open file share). Antivirus vendors are suggesting that many more people will be exposed to SirCam via open networks than through e-mail. It is possible that individual computers on a shared network could become infected multiple times until all instances of the worm are removed from the shared network.

Removal and prevention

Antivirus software companies are in the process of updating their signature files to include SirCam. For more information on removing SirCam from your system, see Sophos, Symantec, McAfee, Central Command, and Trend Micro.

Prevention Here are the basic steps for containing this worm:

1. Download Microsoft's Outlook Security Patch. If you haven't already installed it, download the Outlook 98 Security Patch or the Outlook 2000 Security Patch. Please note that this patch does not include Outlook Express. Click here for help with installation, or for more information regarding this patch.

2. "Don't open attachments!" One of the best ways to prevent virus infections is not to open attachments, especially when worms such as SirCam are being actively circulated. Even if the e-mail is from a known source, be careful. A few worms take the mailing lists from an infected computer and send out new messages with its destructive payload attached. Always scan the attached files first for worms. Unless it's a file or an image you are expecting, delete it.

3. Stay informed. Did you know that there are virus and security alerts almost every day? Keep up-to-date on breaking viruses and solutions by bookmarking our Alerts & Solutions page.

4. Get protected. If you don't already have virus protection software on your machine, you should. If you're a home or individual user, it's as easy as downloading any of these top-rated programs then following the installation instructions. If you're on a network, check with your network administrator first.

5. Scan your system regularly. If you're just loading antivirus software for the first time, it's a good idea to let it scan your entire system. It's better to start with your PC clean and free of virus problems. Often the antivirus program can be set to scan each time the computer is rebooted or on a periodic schedule. Some will scan in the background while you are connected to the Internet. Make it a regular habit to scan for viruses.

6. Update your antivirus software. Now that you have virus protection software installed, make sure it's up-to-date. Some antivirus protection programs have a feature that will automatically link to the Internet and add new virus detection code whenever the software vendor discovers a new threat. You can also scan your system for the lastest security updates here.



-- Anonymous, July 25, 2001


It all boils down to "Don't click on the attachments."

I've noticed that zone alarm as been isolating attachments in emails that I receive. Even links.

-- Anonymous, July 25, 2001


I think the reason we are vulnerable is that noone is learning proper English any more. I have yet to see a virus text that wasn't almost screamingly in bad English. You'd think the instigators would be more careful, they could do more damage.

-- Anonymous, July 25, 2001

Moderation questions? read the FAQ