1. /
  2. Security Response/
  3. W32.Sircam.Worm@mm Removal Tool

W32.Sircam.Worm@mm Removal Tool

Discovered:
July 20, 2001
Updated:
August 24, 2005 12:00:00 AM
Type:
Removal Information
The W32.Sircam.Worm@mm Fix tool deletes the files infected with the W32.Sircam.Worm@mm worm and removes the changes that were made to a computer by this virus.

To obtain and run the tool:
Go to http://www.sarc.com/avcenter/FixSirc.com
Download the Fixsirc.com file to a convenient location, such as your download folder or the Windows desktop. If you are on a network, the removal tool should be applied on all computers, including the server.
To check the authenticity of the digital signature, refer the section The digital signature.
Close all programs before running the tool, including any antivirus scanners such as NAV Auto-Protect.

CAUTION: Do not skip this step (but also see the note that follows this caution). You must disable Auto-Protect before you run the tool. For instructions, see the document How to enable and disable Norton AntiVirus Auto-Protect.

NOTE: There is one exception to the requirement that you must disable Auto-Protect: If NAV has detected and quarantined the virus and NAV is no longer running due to the registry change that was made by the worm, you will not be able to disable Auto-Protect as it will not be running. However, you must make sure that NAV Auto-Protect is disabled by attempting to disable it as previously described.

If you are on a network, or have a full time connection to the Internet, disconnect the computer from the network and the Internet. Disable or password protect file sharing before reconnecting computers to the network or to the internet. Because this worm spreads by using shared folders on networked computers, to ensure that the worm does not reinfect the computer after it has been removed, Symantec suggests sharing with read-only access or using password protection. For instructions on how to do this, see your Windows documentation or the document How to configure shared Windows folders for maximum network protection.

CAUTION: Do not skip this step. You must disconnect from the network before running the tool.

If you are running Windows Me or XP, then disable System Restore. Please refer to the section System Restore option in Windows Me/XP for additional details.

NOTE: If you are running Windows Me/XP, we strongly recommend that you do not skip this step.

Double-click the Fixsirc.com file to start the removal tool.

NOTE: If you downloaded the tool to a floppy disk, and want to run it from the floppy, see the section How to run the tool from a floppy disk at the end of this document for special instructions.

NOTE: If you are using Windows Me, and the System Restore remains enabled, you will see a warning message. You can choose to run the removal tool with the System Restore option enabled (not recommended) or exit the removal tool.

Click Start to begin the process, and then allow the tool to run.
If you are using Windows Me/XP, then reenable System Restore.
Reenable Auto-Protect

NOTE:
If you see a message that the tool must re run in Safe mode, restart the computer in Safe mode and run the tool again. Please follow this instruction to ensure that the virus does not reinfect the computer. To restart in Safe mode, see the document How to restart Windows 9x or Windows Me in Safe Mode
The removal procedure might be unsuccessful in case of enabled System Restore under Windows'ME because Windows prevents System Restore from being modified by outside programs. Because of this, any worm removal attempts made by the removal tool might fail.
When the procedure is finished, the removal tool may detect that you are using Windows'ME and the System Restore remains disabled. In this case, you will see the reminder message to reenable this option.
If you need to run the tool in login scripts or batch files with no messages displayed, then use the following command line syntax for the "Silent" mode:
Fixsirc.com /s

When the tool has finished running, you will see a message indicating whether the computer was infected by the W32.Sircam.Worm@mm worm. In the case of a removal of the worm, the program displays the following results:
The total number of the scanned files.
The number of deleted files.
The number of registry keys that were fixed.

What the tool does
The W32.Sircam.Worm@mm removal tool does the following:
It scans and deletes files infected with the W32.Sircam.Worm@mm worm.

The tool removes the following registry key:

HKEY_LOCAL_MACHINE\Software\SirCam

In the registry key

HKEY_LOCAL_MACHINE\Software\MicrosoftWindows\CurrentVersion\RunServices

it deletes the following value:

Driver32

In the registry key

HKEY_CLASSES_ROOTexefile\shell\open\command

the tool modifies the [Default] value by setting it to:

"%1" %*

The tool removes the line "@win \recycled\sirc32.exe" from the C:\Autoexec.bat file.
The tool restores Rundll32.exe file, renamed by the worm.

The digital signature
FixSirc.com is digitally signed. Symantec recommends that you only use copies of FixSirc.com that have been downloaded directly from the SARC download site. To check the authenticity of the digital signature, follow these steps:
Go to http://www.wmsoftware.com/free.htm
Download and save the chktrust.exe file to the same folder where you saved FixSirc.com, for example, C:\Downloads
Click Start, point to Programs, and click MS-DOS Prompt.
Change to the folder where FixSirc.com and Chktrust.exe are stored, and then type:

chktrust -i FixSirc.com

For example, if you saved the file to the C:\Downloads folder:

cdcd downloads
chktrust -i FixSirc.com

Press Enter after typing each command.

If the digital signature is valid, you will see the following:

Do you want to install and run "FixSirc.com" signed on 7/31/2001 9:36 AM and distributed by Symantec Corporation.

NOTES:
The date and time that are displayed in this dialog will be adjusted to your time zone if your computer is not set to the Pacific time zone.
If you are using Daylight Saving time, the time that is displayed will be exactly one hour earlier.
If this dialog does not appear, do not use your copy of fixsirc.com. It is not from Symantec.

Click Yes to close the dialog box.
Type exit and then press Enter. This will close the MS-DOS session.

System Restore option in Windows Me/XP
Windows Me and Windows XP users should temporarily turn off System Restore. This feature, which is enabled by default, is used by Windows Me/XP to restore files on your computer in case they become damaged. When a computer is infected with a virus, worm, or Trojan, it is possible that the virus, worm, or Trojan could be backed up by System Restore. By default, Windows prevents System Restore from being modified by outside programs. As a result, there is the possibility that you could accidentally restore an infected file, or that on-line scanners would detect the threat in that location. For instructions on how to turn off System Restore, read your Windows documentation or one of the following articles:
How to disable or enable Windows Me System Restore.
How to disable or enable Windows XP System Restore.
For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article Anti-Virus Tools Cannot Clean Infected Files in the _Restore Folder, Article ID: Q263455.

How to run the tool from a floppy disk
Insert the floppy disk that contains the Fixsirc.com file in the floppy disk drive.
Click Start and then click Run.
Type the following and then click OK:

a:\fixsirc.com

NOTES:
There are no spaces in the command a:\fixsirc.com
If you are using Windows Me, and the System Restore remains enabled, you will see a warning message. You can choose to run the removal tool with the System Restore option enabled or exit the removal tool.

Click Start to begin the process, and then allow the tool to run.
If you are using Windows Me, then reenable System Restore.

Summary

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver