I have recieved several e-mails with this virus BEFORE I knew it was a virus. But luckily I am always suspect of any unsolicted attachments and never run them - even if from a friend or relative unless I am certain by the wording of the message that it is safe. So a warning, do not click on the attachment, but rather use Windows Explorer to find and delete it. The text of one of the messages I recieved: Subject: New Word Pad Document Hi! How are you? I send you this file in order to have your advice See you later. Thanks New WordPad Document.doc.com > Here is some information on the SirCam Virus. Our virus protection is > cleaning these attachments, but please be aware of this and delete any > suspicious e-mail. Several Clarksville users have already received this > virus, but no damage has been done. > > > Security experts warned Friday of a fast-spreading new worm that could > delete files and fill up the hard drives of infected computers. > > The worm, "W32.Sircam" or "SirCam," arrives attached to an e-mail message > with a randomly chosen subject line, according to a report prepared by the > AntiVirus Research Center of software maker Symantec. > > Virus Characteristics: > This mass-mailing virus attempts to send itself and local documents to all > users found in the Windows Address Book and email addresses found in > temporary Internet cached files (web browser cache). > > It may be received in an email message containing the following > information: > Subject: [filename (random)] > Body: Hi! How are you? > I send you this file in order to have your advice > or I hope you can help me with this file that I send > or I hope you like the file that I sendo you > or This is the file with the information that you ask for > > See you later. Thanks > > --- the same message may be received in Spanish --- > > Hola como estas ? > Te mando este archivo para que me des tu punto de vista > or Espero me puedas ayudar con el archivo que te mando > or Espero te guste este archivo que te mando > or Este es el archivo con la informaciþlue me pediste > Nos vemos pronto, gracias. > > --- end message --- > Attached will be a document with a double extension (the filename varies). > The first extension will be the file type which was prepended by the > virus. When run, the document will be saved to the C:\RECYCLED folder and > then opened while the virus copies itself to C:\RECYCLED\SirC32.exe folder > to conceal its presence and creates the following registry key value to > load itself whenever .EXE files are executed: > HKCR\exefile\shell\open\command > \Default="C:\recycled\SirC32.exe" "%1" %* > As the RECYCLE BIN is often on the exclusion list, check your settings to > insure that this directory IS being scanned. > It also copies itself to the WINDOWS SYSTEM directory as SCam32.exe and > creates the following registry key value to load itself automatically: > HKLM\Software\Microsoft\Windows\CurrentVersion\ > RunServices\Driver32=C:\WINDOWS\SYSTEM\SCam32.exe > > A list of .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG, .PS, and .ZIP > files in the MY DOCUMENTS folder is saved to the file SCD.DLL (the 2nd > character of the name appears to be random) in the SYSTEM directory. Email > addresses are gathered from the Windows Address Book and temporary > Internet cached pages and saved to the file SCD1.DLL (the 2nd and 3rd > character of the name appears to be random) in the SYSTEM directory. > > The worm prepends a copy of the files that are named in the SCD.DLL file > and attaches this copy to the email messages that it sends via a built in > SMTP server, using one of the following extensions: .BAT, .COM, .EXE, > .LNK, .PIF. This results in attachment names having double-extensions. > The program creates a registry key to store variables for itself (such as > a run count, and SMTP information): > HKLM\Software\Sircam ------------------------------------------------ Mr. Ira J. Lund E-mail: [email protected] Web: http://www.cf-software.com Cumberland Family Software, 385 Idaho Springs Road, Clarksville TN 37043