W32.Sircam.Worm - SirC32.exe

tasklist.org		A comprehensive list of processes running in your computer
		tasklist \| attachlist

bookmark this website!		total tasks: 16297

AttachList is a list of email attachment files that viruses usually send in email. It contains the attached file names, typical subjects and messages, the name of the viruses that send them, and instruction on how to remove these viruses.

most requested

Browse attachlist by file name:

| a | b | c | d | e | f | g | h | i | j | k | l | m | n | o | p | q | r | s | t | u | v | w | x | y | z |

Name: W32.Sircam.Worm

Sender:

Varies..Usually someone who knows you.

Subject:

Random. Will be the same as the file name of the attachment in the
email.

Message:

Will always contain one of the following two lines (eitherEnglish or
Spanish) as the first and last sentences of the message.
English:
First line: Hi! How are you?
Last line: See you later. Thanks
Spanish:
First line: Hola como estas ?
Last line: Nos vemos pronto, gracias.
Between these two lines, some of the following text may appear:
English:
I send you this file in order to have your adviceI hope you can help
me with this file that I sendI hope you like the file that I sendo
youThis is the file with the information that you ask for
Spanish:
Te mando este archivo para que me des tu punto de vistaEspero me
puedas ayudar con el archivo que te mandoEspero te guste este archivo
que te mandoEste es el archivo con la informaci=n que me pediste

Attachment:

Financials.doc.com
SirC32.exe

Comments: A worm that emails itself to everyone in yourOutlook or Outlook Express address book. can causeextensive damage to your hard drive.

Symptoms:


 Creates copies of itself as %TEMP%(File name) and C:Recycled(file
name), which contain the attached document. 
 1 in 20 chance of deleting all files and directories on C:. 1 in 50
chance of filling all remaining space on the C: drive by adding text
to the file c:recycledsircam.sys 
 adds the value 
 Driver32=%System%scam32.exe 
 to the following registry key: 
 HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices 
 It creates the following registry key: 
 HKEY_LOCAL_MACHINESoftwareSirCam 
 with the following values: 
 FB1B - Stores the file name of the worm as stored in the Recycled
directory. 
 FB1BA - Stores the SMTP IP address. 
 FB1BB - Stores the email address of the sender. 
 FC0 - Stores the number of times the worm has executed. 
 FC1 - Stores what appears to be the version number of the worm. 
 FD1 - Stores the file name of worm that has been executed, without
the suffix. 
 FD3 - Stores a value corresponding to the current state of the worm.

 FD7 - Stores the number of mails that have been sent prior to any
interruption of this process.

Recommended Cleanup Software: We found that Easy SpyRemover is the most effective tool for removing this file.

Manual Removal Instructions: Undo the change that it made to the registry key HKEY_CLASSES_ROOT\exefile\shell\open\command
Delete any files detected as W32.Sircam.Worm@mm.
Use Windows Explorer to remove Sircam.sys (if it exists) from the Windows Recycle Bin.
Remove the entry (if it exists) that the worm made to the file Autoexec.bat, . (This will only be present if the worm has spread across a network.)
If the file \Windows\Run32.exe exists, rename it back to \Windows\Rundll32.exe