1. /
  2. Security Response/
  3. W32.Sircam.Worm@mm

W32.Sircam.Worm@mm

Risk Level 2: Low

Discovered:
July 17, 2001
Updated:
February 13, 2007 11:36:55 AM
Also Known As:
W32/SirCam@mm [McAfee], Backdoor.SirCam, I-Worm.Sircam.a [AVP], WORM_SIRCAM.A [Trend], W32/Sircam-A [Sophos], W32/Sircam [Panda], Win32.Sircam.137216 [CA], W32/Sircam.worm@mm [F-Secure], Win32.HLLW.SirCam [DrWeb]
Type:
Worm
Systems Affected:
Windows 95, Windows 98, Windows Me

This worm arrives as an attachment to an email message with the following content:

Subject: The subject of the email will be random, and will be the same as the file name of the email attachment.
Attachment: The attachment is a file taken from the sender's computer and will have the extension .bat, .com, .lnk or .pif added to it.
Message: The message body will be semi-random, but will always contain one of the following two lines (either English or Spanish) as the first and last sentences of the message.

Spanish Version:
First line: Hola como estas ?
Last line: Nos vemos pronto, gracias.

English Version:
First line: Hi! How are you?
Last line: See you later. Thanks

Between these two sentences, some of the following text may appear:

Spanish Version:
Te mando este archivo para que me des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es el archivo con la informaci=n que me pediste

English Version:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I sendo you
This is the file with the information that you ask for

When run, the worm performs the following actions:
  1. It creates copies of itself as %TEMP%\<File name> and C:\Recycled\<file name>, which contain the attached document. This document is then run using the program registered to handle the specific file type. For example, if it is saved as a file with the .doc extension, it will run using Microsoft Word or Wordpad. A file with the .xls extension will open in Excel, and one with the .zip extension will open in your default zip program, such as WinZip.

    NOTE: The term %TEMP% is the Temp variable, and means that the worm will save itself to the Windows Temp folder, whatever its location. The default is C:\Windows\Temp.
  2. It copies itself to C:\Recycled\Sirc32.exe and %System%\Scam32.exe.

    NOTE: %System% is also a variable. The worm will locate the \System folder (by default this is C:\Windows\System) and copy itself to that location.
  3. It adds the value

    Driver32=%System%\scam32.exe

    to the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\
    Microsoft\Windows\CurrentVersion\RunServices

  4. It creates the following registry key:

    HKEY_LOCAL_MACHINE\Software\SirCam

    with the following values:
    • FB1B - Stores the file name of the worm as stored in the Recycled directory.
    • FB1BA - Stores the SMTP IP address.
    • FB1BB - Stores the email address of the sender.
    • FC0 - Stores the number of times the worm has executed.
    • FC1 - Stores what appears to be the version number of the worm.
    • FD1 - Stores the file name of worm that has been executed, without the suffix.
    • FD3 - Stores a value corresponding to the current state of the worm.
    • FD7 - Stores the number of mails that have been sent prior to any interruption of this process.
  5. The (Default) value of the registry key

    HKEY_CLASSES_ROOT\exefile\shell\open\command

    is set to

    C:\recycled\sirc32.exe "%1" %*"

    This enables the worm to execute itself any time that an .exe file is run.
  6. The worm is network aware, and it will enumerate the network resources to infect shared systems. If any are found, it will do the following:
    • Attempt to copy itself to <Computer>\Recycled\Sirc32.exe
    • Add the line "@win \recycled\sirc32.exe" to the file <Computer>\Autoexec.bat
    • Copy <Computer>\Windows\Rundll32.exe to <Computer>\Windows\Run32.exe
    • Replace <Computer>\Windows\rundll32.exe with C:\Recycled\Sirc32.exe
  7. There is a 1 in 33 chance that the following actions will occur:
    • The worm copies itself from C:\Recycled\Sirc32.exe to %Windows%\Scmx32.exe
    • The worm copies itself as "Microsoft Internet Office.exe" to the folder referred to by the registry key:

      HKEY_CURRENT_USER\Software\Microsoft\
      Windows\CurrentVersion\Explorer\
      Shell Folders\Startup
  8. There is a 1 in 20 chance that on October 16th of any year, the worm will recursively delete all files and folders on the C drive.
    This payload functions only on computers which use the date format D/M/Y (as opposed to M/D/Y or similar formats).

    Additionally, the payload will always activate immediately, regardless of date and date format, if the file attached to the worm contains the sequence "FA2" without the letters "sc" following immediately.

    NOTE: Due to a bug in the initialization of a random number generator, it is highly unlikely that the file deleting, and space filling payloads of this threat will ever be activated.
  9. If this payload activates, the file C:\Recycled\Sircam.sys is created and filled with text until there is no remaining disk space. The text is one of two strings:
    • [SirCam_2rp_Ein_NoC_Rma_CuiTzeO_MicH_MeX]
      or
    • [SirCam Version 1.0 Copyright ¬ 2000 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico]
  10. The worm contains its own SMTP engine which is used for the email routine. It obtains email addresses through two different methods:
    • It searches the folders that are referred to by the registry keys

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache

      and

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal

      for sho*., get*., hot*., *.htm files, and copies email addresses from there into the file %system%\sc?1.dll

      where ? is a different letter for each location, as follows:
      • scy1.dll: addresses from %cache%\sho*., hot*., get*.
      • sch1.dll: addresses from %personal%\sho*., hot*., get*.
      • sci1.dll: addresses from %cache%\*.htm
      • sct1.dll: addresses from %personal%\*.htm
    • It searches %system% and all subfolders for *.wab (all Windows Address Books) and copies addresses from there into %system%\scw1.dll.
  11. It searches the folders referred to by the registry keys:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal

    and

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop

    for files of type .doc, .xls, and .zip, and stores the filenames in %system%\scd.dll. One of these files will be appended to the worm's original executable and this new file will be sent as the email attachment.

    The From: email address and mail server are taken from the registry. If no email account exists, then the current user name will be prepended to "prodigy.net.mx", eg if the current user logged on as JSmith, then the address will be "jsmith@prodigy.net.mx". Then the worm will attempt to connect to a mail server. This will be either the mail server taken from the registry, or one of
      • prodigy.net.mx
      • goeke.net
      • enlace.net
      • dobleclick.com.mx

    The language used for the mail depends on the language used by the sender. If the sender uses Spanish, then the mail will be in Spanish, otherwise it will be in English. The attachment is chosen randomly from the list of files in the scd.dll.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.
Writeup By: Peter Ferrie
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver