Virus Warning - Ford Forums - Mustang Forum, Ford Trucks, Ford Focus and Ford Cars
Ford Forum Ford Forum

» Auto Insurance
» Featured Product
» Wheel & Tire Center

Go Back   Ford Forums - Mustang Forum, Ford Trucks, Ford Focus and Ford Cars > Fordforums Community > The Pub
Register Home Forum Active Topics Photo Gallery Auto Loans Garage Mark Forums Read Auto Escrow

The Pub For General Discussion

FordForums.com is the premier Ford Forum on the internet. Registered Users do not see the above ads.
Reply
 
LinkBack Thread Tools Display Modes
Old 07-25-2001, 17:52   #1 (permalink)
BA XR6T
 
bobr's Avatar
 
Join Date: May 2001
Location: Hobart, Tasmania, Australia
Posts: 111
Virus Warning

A NEW VIRUS - NAMED W32/SIRCAM - IS BEING PROPAGATED BY EMAIL WITH THE POTENTIAL TO CAUSE VERY SEVERE DAMAGE TO COMPUTER SYSTEMS.

The virus can appear in an email message written in either English or
Spanish with a seemingly random subject line. All known versions of
W32/Sircam use the following format in the body of the message:

English
Hi! How are you?
[middle line]
See you later. Thanks

Spanish
Hola como estas ?
[middle line]
Nos vemos pronto, gracias.

Where [middle line] is one of the following:

English
I send you this file in order to have your advice
I hope you like the file that I sendo you
I hope you can help me with this file that I send
This is the file with the information you ask for

Spanish
Te mando este archivo para que me des tu punto de vista
Espero te guste este archivo que te mando
Espero me puedas ayudar con el archivo que te mando
Este es el archivo con la informacion que me pediste

Users who receive copies of the malicious code through electronic mail
might recognize the sender. We encourage users to avoid opening
attachments received through electronic mail, regardless of the
sender's name, without prior knowledge of the origin of the file or a
valid digital signature.




:( :( :(
__________________
Ford + Ford Performance Vehicles= Great!
Founder - Tickford Owners Club of Tasmania
bobr is offline   Reply With Quote
Sponsored Links
Advertisement
 
Old 07-25-2001, 18:03   #2 (permalink)
***** Idiot....
 
LunaticSVT's Avatar
 
Join Date: Feb 2001
Location: The Sticks of Central TX
Posts: 10,561
Bob: Please dont take offense to this. This was released last tuesday. Just a little old. Appreciate the info though for those that did not know about it.
Just a little more info:

This virus embeds and resides itself in your trashbin. It will alter your autoexec.bat file to call this file from the trash upon boot up. It will infect your rundll32.exe file disallowing you to run any programs on your system.

It spreads through email. This is where is gets nasty.

It randomly finds a document that you have your system and embeds itself there. Goes into your outlook or outlook express and sends itself with the above message to you list of friends, family and business addresses that you have stored. It attaches this random file it embeded into to the email and from there spreads. It gets better. It will replicate this action over a predetirmined time that it selects. I think" this is my idea" that it gets the time interval from the size of the file it attaches itself to.

it also has a time bomb in it that on a predetermined date it will delete your system files.

Norton has the definitions for this infection.
LunaticSVT is offline   Reply With Quote
Old 07-25-2001, 20:09   #3 (permalink)
***** Idiot....
 
LunaticSVT's Avatar
 
Join Date: Feb 2001
Location: The Sticks of Central TX
Posts: 10,561
one official report of this

Sircam is a mass mailing e-mail worm with the ability of spreading through Windows Network shares. The worm's body is 137216 bytes long but when it comes as an e-mail attachment, it larger in size due to a document that is attached to its body.

When the worm runs on a clean system it copies itself to different locations with different names:

1. The worm copies itself as 'SirC32.exe' to \Recycled\ folder. The default EXE file startup Registry key:



[HKCR\exefile\shell\open\command]

is changed to '""[windows_drive]\recycled\SirC32.exe" "%1" %*"'. This is done to activate a worm's copy every time an EXE file is started.

2. The worm copies itself as 'SCam32.exe' in the System directory. The worm then creates a startup key for this file in the Registry to be started during all Windows sessions:



[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Driver32" = "<windows_system_dir_name>\SCam32.exe"

3. The worm copies itself as 'rundll32.exe' file to Windows directory. The original 'rundll32.exe' file is renamed to 'run32.exe'. This copy exists only if a computer got infected through a network share (see below).

4. Sometimes (once out of 33 cases) the worm places its copy to Windows directory with the 'ScMx32.exe' name. In this case another copy of the worm is created in the current user's personal startup folder as 'Microsoft Internet Office.exe'. This copy will be started when a user who got infected logs into a system.

When a Sircam-infected e-mail attachment is opened it shows the document it picked up from the sender machine's. The file is displayed with the appropiate program according to it's extension:



'.DOC': WinWord.exe or WordPad.exe
'.XLS': Excel.exe
'.ZIP': winzip.exe

This effectively disguises the worm's activity. While the user is checking the document the system get infected (as described above).

The worm uses Windows Address Book to collect e-mail addresses ('*.wab files). The worm also tries to look for e-mail addresses in \Temporary Internet Files\ folder ('sho*', 'get*', 'hot*', '*.html'). If a user has a working e-mail account the worm reads the its setting. Otherwise the '[username]@prodigy.mx.net' is used as the default sender's address and 'prodigy.net.mx' is used for the SMTP server name. The worm has its own SMTP engine and it sends out messages using this engine.

The worm collects a list of files with certain extensions ('.DOC', '.XLS', '.ZIP') into fake DLL files named 'sc*.dll'. The worm then sends itself out with one of the document files it found in a users's 'My Documents' folder.

Messages sent by Sircam look like this:



From: [user@address]
To: [user@address]
Subject: [document name without extension]



Hi! How are you?



'I send you this file in order to have your advice'

or

'I hope you can help me with this file that I send'

or

'I hope you like the file that I sendo you'

or

'This is the file with the information that you ask for'



See you later. Thanks

If a system's language is set to Spanish the worm sends messages in Spanish:



Hola como estas ?



'Te mando este archivo para que me des tu punto de vista'

or

'Espero me puedas ayudar con el archivo que te mando'

or

'Espero te guste este archivo que te mando'

or

'Este es el archivo con la informaci n que me pediste'



Nos vemos pronto, gracias.

The attached file has the name of a picked document file with a double extension like '.DOC.EXE', '.XLS.PIF'. The '.COM', '.BAT', '.PIF' and '.LNK' are used as second (executable) extensions. Since the worm can pick any of the user's personal document it migh send out confidential information.

This worm also uses Windows network shares to spread. When doing this, it first enumerates all the network shares available to the infected computer. If there there is a writeable \recycled\ folder on a share, a copy of the worm is put to \\[share]\recycled\' folder as 'SirCam32.exe' file. The \\[share]\autexec.bat file is appended with an extra line: '@win \recycled\SirC32.exe', so next time when an infected computer is rebooted the worm will be started. The worm also copies itself as 'rundll32.exe' file to Windows directory of a remote system. The original 'rundll32.exe' file is copied to 'run32.exe' before that.

The worm has two payloads. On 16th of October in one case out of 20 it deletes everything from the drive where Windows is installed. On any other day in one of 50 cases it fills up the drive where Windows is installed. In this case it creates a file called '<windows drive>:\recycled\sircam.sys' and continuosly fills it with one of below given text strings until the hard drive space is consumed.



'[SirCam_2rP_Ein_NoC_Rma_CuiTzeO_MicH_MeX]'

or



'[SirCam Version 1.0 Copyright 2001 2rP Made in / Hecho en
- Cuitzeo, Michoacan Mexico]'

Removal instructions:

If your system is infected with the worm first please download this REG file and install it (by double-clicking on it):

ftp://ftp.europe.f-secure.com/anti-v...s/sirc_dis.reg

This will remove the worm's reference from the EXE file startup key and the main worm's startup key in the Registry.

Warning! The system might become unusable if the worm's file is deleted without modifying the EXE file startup key first.

After that the system can be safely disinfected with FSAV. If for some reason the worm's file can't be deleted from Windows (locked file), then you have to exit to pure DOS and delete the worm's file manually or use a DOS-based scanner (F-Prot for DOS for example). All worm files has to be deleted or renamed.

If a workstation was infected trough a network share '\windows\run32.exe' has to be renamed back to '\windows\rundll32.exe' after disinfection.

The extra line in 'autoexec.bat' file that starts the worm from \recycled\ folder should be removed also.

Network infection prevention:

If a network is infected and it is not possible to take it down to disinfect all workstations, the following method can prevent the worm from spreading to clean workstations:

In the \Recycled\ folder of a drive where Windows is installed, it is needed to create a dummy file with SIRC32.EXE name and read-only attribute.
LunaticSVT is offline   Reply With Quote
Old 07-25-2001, 20:11   #4 (permalink)
Multi Car Owner
 
Marqman's Avatar
 
Join Date: Feb 2001
Location: SW Ohio
Posts: 930
I get the pesky SOB 3 or 4 times a day. It is a pain in the arse!!!
__________________
Tim
70 Camaro SS // 87 Mustang GT Conv - 119k
93 Z71 - 264k // 01 P71 - 87k // 05 Dodge Magnum R/T - 122k
Marqman is offline   Reply With Quote
Old 07-25-2001, 20:24   #5 (permalink)
Old Car:BA XR6 New: 97 EL
 
jaytyn's Avatar
 
Join Date: Feb 2001
Location: Australia
Age: 32
Posts: 1,031
thanks for the virus warning. I had not heard of this virus before.

Thanks!
jaytyn is offline   Reply With Quote
Old 07-25-2001, 20:25   #6 (permalink)
***** Idiot....
 
LunaticSVT's Avatar
 
Join Date: Feb 2001
Location: The Sticks of Central TX
Posts: 10,561
Sorry for the lengthy post. It has hit us in the states pretty hard. mainly those with windows networks. hahaha


Fools. I have two shops that run Linux at the desktop and as servers with Novell in the mix too. Neither of the two got hit with this :eek:
LunaticSVT is offline   Reply With Quote
Old 07-25-2001, 20:25   #7 (permalink)
 
Join Date: Feb 2001
Location: Rocklyn
Posts: 7,750
Thumbs up

Thanks for the warning Bob. I hadn't heard of it and neither had my employer. Appreciate it and I suspect the majority of home users wouldn't know about it.

I wish these FU@K heads would grow up and get a life:flame: :flame: :flame: :flame:
HSE2 is offline   Reply With Quote
Old 07-25-2001, 20:28   #8 (permalink)
 
Join Date: Feb 2001
Location: Rocklyn
Posts: 7,750
Thumbs up

Quote:
Originally posted by LunaticSS
Sorry for the lengthy post.

What?????????????? I appreciate the help you have provided so many thanks.
HSE2 is offline   Reply With Quote
Old 07-25-2001, 20:45   #9 (permalink)
FM
The SparkleHunter™
 
FM's Avatar
 
Join Date: Feb 2001
Location: Gettin' ready for MiniChucky!
Age: 38
Posts: 10,144
Quote:
Originally posted by jaytyn
thanks for the virus warning. I had not heard of this virus before.

Thanks!
Ditto here.. thanks lads.. :D
__________________
Chucky's saying of the month- Finish your beer! There are sober kiddies in Ethiopia.."
Another BSR BigCall™
--------------------------------------
FordForums Polo Shirts & Caps are now on sale.. Get both for $50.00 + postage. Click here for details!
FM is offline   Reply With Quote
Old 07-25-2001, 21:33   #10 (permalink)
GTHO4
Guest
 
Posts: n/a
Hmmm..... better update my Norton Anti virus.


Quote:
Originally posted by HSE2


I wish these FU@K heads would grow up and get a life:flame: :flame: :flame: :flame:
This is what they deserve
  Reply With Quote
Sponsored Links
Advertisement
 
Reply

  Ford Forums - Mustang Forum, Ford Trucks, Ford Focus and Ford Cars > Fordforums Community > The Pub

Related Reading: Virus Warning


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Virus warning. HSE2 The Pub 4 06-18-2002 00:19
Virus warning: eafalcon.com under attack!! Troutman The Pub 11 06-01-2002 05:10
OT: Virus Warning Chaps The Pub 2 12-04-2001 20:21
Virus Warning - Code Red Worm TeeHee The Pub 2 07-31-2001 06:39
Warning: Virus In Donut King Posts Aussie Pete The Pub 18 05-05-2001 21:48

Powered by vBadvanced CMPS v3.2.2

All times are GMT -7. The time now is 21:34.



Powered by vBulletin® Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.6.0
Garage Plus vBulletin Plugins by Drive Thru Online, Inc.