1. /
  2. Security Response/
  3. W32.Sircam.Worm@mm

W32.Sircam.Worm@mm - Removal

Risk Level 2: Low

Discovered:
July 17, 2001
Updated:
February 13, 2007 11:36:55 AM
Also Known As:
W32/SirCam@mm [McAfee], Backdoor.SirCam, I-Worm.Sircam.a [AVP], WORM_SIRCAM.A [Trend], W32/Sircam-A [Sophos], W32/Sircam [Panda], Win32.Sircam.137216 [CA], W32/Sircam.worm@mm [F-Secure], Win32.HLLW.SirCam [DrWeb]
Type:
Worm
Systems Affected:
Windows 95, Windows 98, Windows Me

Symantec Security Response has created a tool to remove this worm.

CAUTION:
  • In some cases, if you have had NAV quarantine or delete infected files, you will not be able to run .exe files, however you will still be able to run the removal tool.
  • If you are using Windows Me, and a copy of the worm is detected in the _Restore folder when running the tool, the tool cannot remove it from that folder, as it is protected by Windows. See the document Cannot repair, quarantine, or delete a virus found in the _RESTORE folder, and then run the tool again.
  • If you are on a network, or have a full time connection to the Internet, disconnect the computer from the network and the Internet. Disable or password protect file sharing before reconnecting computers to the network or to the internet. Because this worm spreads by using shared folders on networked computers, to ensure that the worm does not reinfect the computer after it has been removed, Symantec suggests sharing with read-only access or using password protection. For instructions on how to do this, see your Windows documentation or the document How to configure shared Windows folders for maximum network protection.

    IMPORTANT: Do not skip this step. You must disconnect from the network before attempting to remove this worm.
  • If a computer was infected more the once, as can happen when using shared folders across a network, the Run32.exe file will have been be overwritten with an infected copy of the Rundll32.exe. If you see more than one entry of "@win \recycled\sirc32.exe" when performing the steps in the section "To edit the Autoexec.bat file", do not attempt to rename the file. Instead, you must delete the Run32.exe and the Rundll32.exe files and then extract an new copy of Rundll32.exe from a clean back up or from the Windows installation CD. See your Windows documentation for information on how to do this.


To obtain the W32.Sircam.Worm@mm removal tool, please click here.


Manual Removal
If for any reason you cannot use or obtain the W32.Sircam.Worm@mm removal tool, you must remove this worm manually. To do this, you must:
  • Undo the change that it made to the registry key HKEY_CLASSES_ROOT\exefile\shell\open\command
  • Delete any files detected as W32.Sircam.Worm@mm.
  • Use Windows Explorer to remove Sircam.sys (if it exists) from the Windows Recycle Bin.
  • Remove the entry (if it exists) that the worm made to the file Autoexec.bat, . (This will only be present if the worm has spread across a network.)
  • If the file \Windows\Run32.exe exists, rename it back to \Windows\Rundll32.exe
See the sections that follow for detailed instructions.

NOTE: If you are on a network, or have a full time connection to the Internet, disconnect the computer from the network and the Internet. Follow the removal procedure on all computers, including the server. Disable or password protect file sharing before reconnecting computers to the network or to the internet.

CAUTION: Do not skip this step. You must disconnect from the network before attempting to remove this worm.


To edit the registry:
The worm modifies the registry such that an infected file is executed every time that you run a .exe file. Follow these instructions to fix this.

Copy Regedit.exe to Regedit.com:
Because the worm modified the registry so that you cannot run .exe files, you must first make a copy of the Registry Editor as a file with the .com extension, and then run that file.
  1. Do one of the following, depending on which operating system you are running:
    • Windows 95/98 users: Click Start, point to Programs, and click MS-DOS Prompt. This opens a DOS window at the C:\Windows prompt. Go on to step 2 of this section.
    • Windows Me users: Click Start, point to Programs, point to Accessories, and then click MS-DOS Prompt. This opens a DOS window at the C:\Windows prompt. Go on to step 2 of this section.
    • Windows NT/2000 users:
      1. Click Start, and click Run.
      2. Type the following and then press Enter:

        command

        A DOS window opens.
      3. Type the following and then press Enter:

        cd \winnt
      4. Go on to step 2 of this section.
    • Windows XP:
      1. Click Start, and click Run.
      2. Type the following and then press Enter:

        command

        A DOS window opens.
      3. Type the following and then press Enter after typing each one:

        cd\
        cd \win
        dows
      4. Proceed to step 2 of this section.
  2. Type the following and then press Enter:

    copy regedit.exe regedit.com
  3. Type the following and then press Enter:

    start regedit.com

    The Registry Editor will open in front of the DOS window. After you finish editing the registry, exit the Registry Editor, and then exit the DOS window, as well.
1. Proceed to the next section, "To edit the registry and remove keys and changes made by the worm," only after you have accomplished the previous steps.

NOTE: This will open the Registry Editor in front of the DOS window. After you finish editing the registry and have closed Registry Editor, close the DOS window.

To edit the registry and remove keys and changes made by the worm:

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry can result in permanent data loss or corrupted files. Please make sure you modify only the keys specified in this document. For more information about how to back up the registry, please read How to back up the Windows registry before proceeding with the following steps. If you are concerned that you cannot follow these steps correctly, then please do not proceed. Consult a computer technician for more information.
  1. Navigate to and select the following key:

    HKEY_CLASSES_ROOT\exefile\shell\open\command

    CAUTION: The HKEY_CLASSES_ROOT key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with an .exe extension from running. Make sure you browse all the way along this path until you reach the \command subkey.
    Do not
    modify the HKEY_CLASSES_ROOT\.exe key.
    Do modify the HKEY_CLASSES_ROOT\exefile\shell\open\command subkey that is shown in the following figure:


    <<=== NOTE: This is the key that you need to modify.

  2. Double-click the (Default) value in the right pane.
  3. Delete the current value data, and then type: "%1" %* (That is, type the following characters: quote-percent-one-quote-space-percent-asterisk.)

    NOTE: On Win9x and WinNT systems, the Registry Editor will automatically enclose the value within quotation marks. When you click OK, the (Default) value should look exactly like this: ""%1" %*" On Win2k systems, the addtional quotation marks will not appear. On Win2k systems, the (Default) value should look exactly like this: "%1" %*
  4. Make sure you completely delete all value data in the command key prior to typing the correct data. If a space is left accidentally at the beginning of the entry, any attempt to run program files will result in the error message, "Windows cannot find .exe." or "Cannot locate C:\ <path and file name>."
  5. Navigate to and select the following key:

    HKEY_LOCAL_MACHINE\Software\SirCam

    CAUTION: Make sure that you go all the way down to the SirCam key, and that it is selected. It will look similar to the following figure:


  6. With the SirCam key selected, press Delete and then click Yes to confirm.. This will delete the key and all of its subkeys. Since this key was created by the worm it can be safely deleted.
  7. Navigate to and select the following key:

    HKEY_LOCAL_MACHINE\Software\
    Microsoft\Windows\CurrentVersion\RunServices

  8. In the right pane, look for and select the value

    Driver32.
  9. Press Delete, and then click Yes to confirm.

To remove the worm:
  1. Run LiveUpdate to make sure that you have the most recent virus definitions.
  2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
  3. Delete any files detected as W32.Sircam.Worm@mm.

    CAUTION:
    Windows Me users. If you are using Windows Me, and a copy of the worm is detected in the _Restore folder, NAV cannot remove it from that folder, as it is protected by Windows. See the document Cannot repair, quarantine, or delete a virus found in the _RESTORE folder.

To empty the Recycle Bin:
Because of the way that files are placed there in this case, you cannot just click Empty Recycle Bin as you would with files that are deleted in the normal manner. Instead, use Windows Explorer to delete the file C:\Recycled\Sircam.sys if it is present.

To edit the Autoexec.bat file:
  1. Click Start, and click Run.
  2. Type the following, and then click OK.

    edit c:\autoexec.bat

    The MS-DOS Editor opens.
  3. Remove the line "@win \recycled\sirc32.exe" if it is present.

    CAUTION: If you see more then one entry of "@win \recycled\sirc32.exe" in the Autoexec.bat file, it means that the computer was infected more the once. Because of this, the Run32.exe file will have been overwritten with an infected copy of the Rundll32.exe. As a result, you will not be able to rename the file to recover it as directed in the next section.

  4. Click File and then click Save.
  5. Exit the MS-DOS Editor

To rename the Run32.exe file:
If this file exists, it should be renamed back to its original name.

CAUTION: If a computer was infected more the once, as can happen when using shared folders across a network, the Run32.exe file will have been be overwritten with an infected copy of the Rundll32.exe If you saw more than one entry of "@win \recycled\sirc32.exe" when performing the steps in the previous section, do not attempt to rename the file. Instead, you must delete the Run32.exe and the Rundll32.exe files and then extract an new copy of Rundll32.exe from a clean back up or from the Windows installation CD. See your Windows documentation for information on how to do this.
  1. Click Start, point to Find or Search, and then click Files or Folders.
  2. Make sure that "Look in" is set to (C:) and that Include subfolders is checked.
  3. In the "Named" or "Search for..." box, type--or copy and paste--the following file names:

    run32.exe
  4. Click Find Now or Search Now.
  5. Right-click the Run32.exe file and then click Rename.
  6. Rename it to:

    rundll32.exe
  7. Press Enter.


Writeup By: Peter Ferrie

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver