Passing this information on with Andrea's kind permission. All List Admins seem to be putting their Listers on the alert re this one. Beryl O'Gorman Greensborough Victoria Australia List Admin Subject: Virus alert W32/SirCam > > As I have already received this virus _4_ times (once in Spanish), in as > many days, I felt a warning was warranted. You should already be suspicious > if this lands in your "inbox", as the attachment has the file extension PIF. > > W32/SirCam > This mass-mailing virus attempts to send itself and local documents to all > users found in the Windows Address Book and email addresses found in > temporary Internet cached files (web browser cache). > It may be received in an email message containing the following information: > > Subject: [filename (random)] > Body: Hi! How are you? > I send you this file in order to have your advice or > I hope you can help me with this file that I send or > I hope you like the file that I sendo you or > This is the file with the information that you ask for > See you later. Thanks > > > --- the same message may be received in Spanish --- > Hola como estas ? > Te mando este archivo para que me des tu punto de vista or > Espero me puedas ayudar con el archivo que te mando or > Espero te guste este archivo que te mando or > Este es el archivo con la informaciĆ³n que me pediste > Nos vemos pronto, gracias. > --- end message --- > > Attached will be a document with a double extension (the filename varies). > The first extension will be the file type which was prepended by the virus. > When run, the document will be saved to the C:\RECYCLED folder and then > opened while the virus copies itself to C:\RECYCLED\SirC32.exe folder to > conceal its presence and creates the following registry key value to load > itself whenever .EXE files are executed: > HKCR\exefile\shell\open\command \Default="C:\recycled\SirC32.exe" "%1" %* > As the RECYCLE BIN is often on the exclusion list, check your settings to > insure that this directory IS being scanned. > It also copies itself to the WINDOWS SYSTEM directory as SCam32.exe and > creates the following registry key value to load itself automatically: > HKLM\Software\Microsoft\Windows\CurrentVersion\ > RunServices\Driver32=C:\WINDOWS\SYSTEM\SCam32.exe > > A list of .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG, .PS, and .ZIP > files in the MY DOCUMENTS folder is saved to the file SCD.DLL (the 2nd > character of the name appears to be random) in the SYSTEM directory. Email > addresses are gathered from the Windows Address Book and temporary Internet > cached pages and saved to the file SCD1.DLL (the 2nd and 3rd character of > the name appears to be random) in the SYSTEM directory. > The worm prepends a copy of the files that are named in the SCD.DLL file and > attaches this copy to the email messages that it sends via a built in for > communicating directly with a SMTP server, using one of the following > extensions: .BAT, .COM, .EXE, .LNK, .PIF. This results in attachment names > having double-extensions. The program creates a registry key to store > variables for itself (such as a run count, and SMTP information): > HKLM\Software\Sircam The virus may also infect other systems by using open > network shares. On remote systems the file \windows\rundll32.exe might get > replaced with a viral copy. On those systems, it might also append the > autoexec.bat with the line: @win \recycled\sirc32.exe. > > Aside from e-mail overloading, it might delete files on 16 October and/or > fill up harddisk space by adding text entries over & over again to a > sircam recycle bin file. >