Dear Listmembers: I don't want to scare anyone or cause you to leave the list, but need to inform you. I will also remind you that there is no way to receive a virus, worm or trojan horse from the Rootsweb servers. There is a *really* nasty worm out there right now. Details below my signature line. I have not received it from any members of this list, but have gotten it at work. I has wreaked havoc with my computer, but it should be fine soon. This is another of those that uses your address book to propogate itself. I find that most that do this only activate if you use outlook, but do not access Netscape's address book. The attachments are from people you know -- don't open any attachments you had not been expecting. For those of you that think you are safe cuz you run virus software -- remember to update frequently. I had a new computer with a new version of Norton that ran hourly. I have deleted Norton from my computer and now rely on "Housecalls for PCs" http://www.antivirus.com/free_tools/. You can run their virus program over the Internet only. They update twice daily, so can you, if you like. You need not sign up or pay any fees. This I have found is a far more extensive check than either Norton or McAffee have done. If you would rather, you can also purchase their program, PC-Cillin. Happy Trails, Lauren List Admin ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ description of message received with the worm: http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=TROJ_SIRCAM.A&VSect=T directions for removal can be found here: http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=TROJ_SIRCAM.A If you **know** your computer has been infected and know what you are doing, follow the directions. If you are less familiar -- get someone with computer experience to do it for you. Aliases: SCAM.A, TROJ_SCAM.A, [email protected] Description: This worm is a high-level program created in Delphi that propagates via email using SMTP commands. It sends copies of itself to all addresses listed in an infected user's address book and in temporary Internet cached files. It arrives with a random subject line, and an attachment by the same name. This worm also propagates via shared network drives. Solution: Deleting the Trojan file before performing the steps below will make the system inoperable. If the Trojan has been deleted please rename REGEDIT.EXE to REGEDIT.COM before following the manual removal instructions. If you want to use the fix tool, there is no need to rename the file. To manually remove Trojan 1.Disconnect from the network 2.Run REGEDIT.EXE Go to HKEY_CLASSES_ROOT\exefile\shell\open\command On the right panel, double click on the (Default) value and remove C:\Recycled\SirC32.exe leaving only “%1” %* (double quote, percent one, double quote, space, percent asterisk). 3.Go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\RunServices 4.On right panel delete the value Driver32 5.Go to HKEY_LOCAL_MACHINE\Software\Sircam and Delete the key Sircam 6.Go to MSDOS Prompt and go to Windows\System folder. (C:\Windows\System or C:\Winnt\System32) 7.Type ATTRIB –S –H –R SCAM32.EXE to unhide Trojan file. 8.Type DEL SCAM32.EXE to delete Trojan file. 9.Go to the Recycled folder (C:\Recycled) and do steps 7 and 8 to delete the Trojan file hidden in the recycle bin because emptying this folder may not effectively do so. 10.Go to the Windows folder and Search for RUN32.EXE. 11.If present delete RUNDLL32.EXE and rename RUN32.EXE to RUNDLL32.EXE 12.Edit AUTOEXEC.BAT 13.Delete @win \recycled\Sirc32.exe 14.Restart Computer To remove Trojan using fix tool: 1.Download fix_sircam.com and run the file. It will scan drive C: and subfolders. 2.If a Trojan is detected, it will prompt you to delete the file or not. 3.The tool will also restore the registry entries modified by the Trojan. 4.Edit AUTOEXEC.BAT 5.Delete @win \recycled\Sirc32.exe 6.Restart Computer If you need further assistance with this solution, please send an email to [email protected]