NORTHROP-L Archives
Archiver > NORTHROP > 2001-07 > 0996580958
From: "Karima" <>
Subject: [NORTHROP] FROM Karima - Additional Virus Information - "W32/Sircam"
Date: Tue, 31 Jul 2001 07:02:38 -0500
Good Morning Fellow List Members,
I am sending the following to all of the members of to ALL the lists that I
administer (sorry for any duplications).
AGAIN, this is NOT meant to start a discussion on this list, BUT rather to
INFORM you about another of the viruses that is making its rounds.
Please read this CAREFULLY so that, should you receive an attachment with
this virus from anybody (even your mother, father, brother, sister, etc.),
you will recognize it and not be fooled into opening it. It is a bit
technical, but very important that you understand how this works and what to
do if you find that your computer is infected.
Take Care,
Karima
List Administrator
============================
START READING HERE:
"W32/Sircam" is malicious code that spreads through email and potentially
through unprotected network shares. Once the malicious code has been
executed on a system, it may reveal or delete sensitive information.
As of 10:00EST(GMT-4) Jul 25, 2001 the CERT/CC has received reports of
W32/Sircam from over 300 individual sites.
I. Description
W32/Sircam can infect a machine in one of two ways:
* When executed by opening an email attachment containing the malicious code
* By copying itself into unprotected network shares
Propagation Via Email
The virus can appear in an email message written in either English or
Spanish with a seemingly random subject line. All known versions of
W32/Sircam use the following format in the body of the message:
English Hi! How are you? [middle line] See you later. Thanks
Spanish Hola como estas ? [middle line] Nos vemos pronto, gracias.
Where [middle line] is one of the following:
English I send you this file in order to have your advice I hope you like
the file that I sendo you I hope you can help me with this file that I send
This is the file with the information you ask for
Spanish Te mando este archivo para que me des tu punto de vista Espero te
guste este archivo que te mando Espero me puedas ayudar con el archivo que
te mando Este es el archivo con la informacion que me pediste
Users who receive copies of the malicious code through electronic mail might
recognize the sender. We encourage users to avoid opening attachments
received through electronic mail, regardless of the sender's name, without
prior knowledge of the origin of the file or a valid digital signature.
The email message will contain an attachment whose name matches the subject
line and has a double file extension (e.g. subject.ZIP.BAT or
subject.DOC.EXE). The CERT/CC has confirmed reports that the first extension
may be .DOC, .XLS, or .ZIP. Anti-virus vendors have referred to additional
extensions, including .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG, and
.PS. The second extension will be .EXE, .COM, .BAT, .PIF, or .LNK. The
attached file contains both the malicious code and the contents of a file
copied from an infected system.
When the attachment is opened, the copied file is extracted to both the
%TEMP% folder (usually C:\WINDOWS\TEMP) and the Recycled folder on the
affected system. The original file is then opened using the appropriate
default viewer while the infection process continues in the background.
It is possible for the recipient to be tricked into opening this malicious
attachment since the file will appear without the .EXE, .BAT, .COM, .LNK, or
.PIF extensions if the "Hide file extensions for known file types" is
enabled in Windows. See IN-2000-07 for additional information on the
exploitation of hidden file extensions.
W32/Sircam includes its own SMTP client capabilities, which it uses to
propagate via email. It determines its recipient list by recursively
searching for email addresses contained in all *.wab (Windows Address Book)
files in the %SYSTEM% folder. Additionally, it searches the folders referred
to by
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Shell
Folders\Cache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Shell
Folders\Desktop
for files containing email addresses. All addresses found are stored in
SC??.DLL or S??.DLL files hidden in the %SYSTEM% folder.
W32/Sircam first attempts to send messages using the default email settings
for the current user. If the default settings are not present, it appears to
use one of the following SMTP relays:
* prodigy.net.mx
* NetBIOS name for 'MAIL'
* mail.<defaultdomain> (e.g., mail.example.org)
* dobleclick.com.mx
* enlace.net
* goeke.net
Propagation Via Network Shares
In addition to email-based propagation, analysis by anti-virus vendors
suggests that W32/Sircam can spread through unprotected network shares.
Unlike the email propagation method, which requires a user to open an
attachment to infect the machine, propagation of W32/Sircam via network
shares requires no human intervention.
If W32/Sircam detects Windows networking shares with write access, it
1. copies itself to \\[share]\Recycled\SirC32.EXE
2. appends "@ win\Recycled\SirC32.exe" to AUTOEXEC.BAT
If the share contains a Windows folder, it also
3. copies \\[share]\Windows\rundll32.exe to \\[share]\Windows\run32.exe
4. copies itself to \\[share]\Windows\rundll32.exe
5. when virus is executed from rundll32.exe, it calls run32.exe
Infection process
1. When installed on a victim machine, W32/Sircam installs a copy of itself
in two hidden files:
+ %SYSTEM%\SCam32.exe + Recycled\SirC32.exe
Installing in Recycled may hide it from anti-virus software since some do
not check this folder by default. Based on external analyses, there is also
a probability that W32/Sircam will copy itself to the %SYSTEM% folder as
ScMx32.exe. In that case, another copy is created in the folder referred to
by HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explor
er\Shell Folders\Startup (the current user's personal startup folder). The
copy created in that location is named Microsoft Internet Office.exe. When
the affected user next logs in, this copy of W32/Sircam will be started
automatically.
2. The registry entry
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunSe
rvices\Driver32 is set to %SYSTEM%\SCam32.exe so that W32/Sircam will run
automatically at system startup.
3. The registry entry HKEY_CLASSES_ROOT\exefile\shell\open\command is set to
"C:\Recycled\SirC32.exe" "%1" %*", causing W32/Sircam to execute whenever
another executable is run.
4. A new registry entry, HKEY_LOCAL_MACHINE\Software\SirCam, is created to
store data required by W32/Sircam during execution.
5. W32/Sircam searches for filenames with .DOC, .XLS, .ZIP extensions in the
folders referred to by
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersi on\Explorer\Shell
Folders\Personal
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersi on\Explorer\Shell
Folders\Desktop
While the personal folder may vary with configuration, it is often set to
\My Documents or \Windows\Profiles\%username%\Personal. A list of these
files is stored in %SYSTEM%\scd.dll.
6. W32/Sircam attaches its own binary to selected files it finds and stores
the combined file in the Recycled folder.
II. Impact
W32/Sircam can have a direct impact on both the computer which was infected
as well as those with which it communicates over email.
* Breaches of confidentiality: The malicious code will at a minimum search
through select folders and mail potentially sensitive files. This form of
attack is extremely serious since it is one from which it is impossible to
recover. Once a file has been publicly distributed, any potentially
sensitive information in it cannot be retracted.
* Limit Availibility (Denial of Service)
+ Fill entire hard drive: Based on external analyses, on any given day,
there is a probability that it will create a file named
C:\Recycled\sircam.sys which consumes all free space on the C: drive. A full
disk will prevent users from saving files to that drive, and in certain
configurations impede system-level tasks (e.g., swapping, printing).
+ Propagation via mass emailing: W32/Sircam will attempt to propagate by
sending itself through email to addresses obtained as described above. This
propagation can lead to congestion in mail servers that may prevent them
from functioning as expected. NOTE: Since W32/Sircam uses native SMTP
routines connecting to pre-defined mail servers, propagation is independent
of the mail client software used.
* Loss of Integrity: Published reports indicate that on October 16 there is
a reasonable probability that W32/Sircam will attempt to recursively delete
all files from the drive on which Windows is installed (typically C:).
III. Solution
Run and Maintain an Anti-Virus Product
It is important for users to update their anti-virus software. Most
anti-virus software vendors have released updated information, tools, or
virus databases to help detect and partially recover from this malicious
code. A list of vendor-specific anti-virus information can be found in
Appendix A.
Many anti-virus packages support automatic updates of virus definitions. We
recommend using these automatic updates when available.
Exercise Caution When Opening Attachments
Exercise caution when receiving email with attachments. Users should never
open attachments from an untrusted origin, or ones that appear suspicious in
any way. Finally, cryptographic checksums should also be used to validate
the integrity of the file.
The effects of this class of malicious code are activated only when the file
in question is executed. Social engineering is typically employed to trick a
recipient into executing the malicious file. The best advice with regard to
malicious files is to avoid executing them in the first place. The following
tech tip offers suggestions as to how to avoid them:
Protecting yourself from Email-borne Viruses and Other Malicious Code During
Y2K and Beyond
Filter the Email or use a Firewall
Sites can use email filtering techniques to delete messages containing
subject lines known to contain the malicious code, or they can filter all
attachments.
Likewise, a firewall or border router can be used to stop the W32/Sircam
outbound SMTP connections to mail servers outside of the local network. This
filtering strategy will prevent further propagation of the worm from a
particular host when the local mail configuration is not used.
# # #
This thread: