McAfee.com has just today placed the W32/SirCam@MM virus on high risk. Please read the info below > Name: W32/SirCam@MM > > Characteristics: > This mass-mailing virus attempts to send itself and local documents to all > users found in the Windows Address Book and email addresses found in > temporary Internet cached files (web browser cache). > It may be received in an email message containing the following > information: > Subject: [filename (random)] Body: Hi! How are you? > I send you this file in order to have your advice <I>or</I> I hope you can > help me with this file that I send <I>or</I> I hope you like the file that > I sendo you <I>or</I> This is the file with the information that you ask > for > See you later. Thanks > --- the same message may be received in Spanish --- > Hola como estas ? > Te mando este archivo para que me des tu punto de vista <I>or</I> Espero > me puedas ayudar con el archivo que te mando<I>or</I> Espero te guste este > archivo que te mando<I>or</I> Este es el archivo con la información que me > pediste > > > Nos vemos pronto, gracias. > --- end message --- > Attached will be a document with a double extension (the filename varies). > The first extension will be the file type which was prepended by the > virus. When run, the document will be saved to the C:\RECYCLED folder and > then opened while the virus copies itself to C:\RECYCLED\SirC32.exe folder > to conceal its presence and creates the following registry key value to > load itself whenever .EXE files are executed: > HKCR\exefile\shell\open\command \Default="C:\recycled\SirC32.exe" "%1" %* > <I>As the RECYCLE BIN is often on the exclusion list, check your settings > to insure that this directory IS being scanned.</I> > It also copies itself to the WINDOWS SYSTEM directory as SCam32.exe and > creates the following registry key value to load itself automatically: > HKLM\Software\Microsoft\Windows\CurrentVersion\ > RunServices\Driver32=C:\WINDOWS\SYSTEM\SCam32.exe > A list of .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG, .PS, and .ZIP > files in the MY DOCUMENTS folder is saved to the file SCD.DLL (the 2nd > character of the name appears to be random) in the SYSTEM directory. Email > addresses are gathered from the Windows Address Book and temporary > Internet cached pages and saved to the file SCD1.DLL (the 2nd and 3rd > character of the name appears to be random) in the SYSTEM directory. > The worm prepends a copy of the files that are named in the SCD.DLL file > and attaches this copy to the email messages that it sends via a built in > SMTP server, using one of the following extensions: .BAT, .COM, .EXE, > .LNK, .PIF. This results in attachment names having double-extensions. The > program creates a registry key to store variables for itself (such as a > run count, and SMTP information): > HKLM\Software\Sircam > > To check your system for this Virus, and to learn how to protect yourself > from computer viruses, visit the McAfee.com Clinic at > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=2103. > > For complete information on this Virus, view McAfee.com's Virus > Information Library listing at > http://vil.mcafee.com/dispVirus.asp?virus_k=99141. > > This email was sent to you by Joyce Reece > >