Home Forums General Discussions Open Topic What virus sends out this message

Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • #45258

    jeremiah
    Keymaster

    I got about 30 of these in the last 2 days [img]images/smiles/converted/rolleyes.gif[/img]
    The message is this

    <BLOCKQUOTE><font>quote:</font><HR>
    Hi! How are you=3F

    I send you this file in order to have your advice

    See you later=2E Thanks

    <HR></BLOCKQUOTE>

    and apparently it is supposed to have an attachment LUMBER PHONE LIST.doc.lnk (*note the extra.lnk)

    various senders

    Just curious if anyone is aware of the name of this particular virus/worm

    some people are so lame [img]images/smiles/converted/rolleyes.gif[/img]

    #82903

    SG
    Participant

    Yeah I heard about this a few days ago,the cable company sent me an e mail warning me not to open it.

    #82904

    SG
    Participant

    It`s called the Hi How Are You virus.

    #82905

    jeremiah
    Keymaster

    It always has the same message but a different subject/attachment each time

    subject : Chad Brandolini

    attachment : Chad Brandolini.doc.bat (*again note the extension)

    [img]images/smiles/converted/smile.gif[/img] thanks for the update salamiguy! Did not know if it happened to be a widespread issue yet but I guess so. Do you happen to remember the name they gave it?

    #82906

    jeremiah
    Keymaster

    you posted while I was typing [img]images/smiles/converted/tongue.gif[/img]

    Thanks again!!!!!

    #82907

    Cloud9
    Participant

    Hey Jeremiah

    Here’s Some Info & How To Delete It:
    Win32.SirCam.137216
    Win32.SirCam.137216 is an e-mail worm which sends itself as well as clean documents from an infected machine. The worm arrives in a message which may be either English or Spanish. The English messages appear like this:

    Hi! How are you?
    I send you this file in order to have your advice
    See you later. Thanks

    The middle is chosen from the following list. However, due to a bug in the worm’s random number checking, the first line is always used:

    I send you this file in order to have your advice
    I hope you can help me with this file that I send
    I hope you like the file that I sendo you
    This is the file with the information that you ask for

    The Spanish message looks like:

    Hola como estas ?
    Te mando este archivo para que me des tu punto de vista
    Nos vemos pronto, gracias.

    The middle line is from the following list, but once again only the first line is ever chosen:

    Te mando este archivo para que me Des tu punto de vista
    Espero me puedas ayudar con el archivo que te mando
    Espero te guste este archivo que te mando
    Este es El archivo con la información que me pediste

    The attachment name is variable, but will have a double extension, for example "SCRIPT.DOC.PIF". The actual extension may be "PIF", "LNK", "BAT", "EXE" or "COM". The subject of the message matches the attachment name, except without the extensions. In the above example the subject would be "SCRIPT".

    When run, the worm copies itself to "C:RECYCLEDSirC32.exe" as well as "SCam32.exe" in the Windows System directory. It modifies two registry keys:

    HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesDriver32="<Windows>SCam32.exe"
    HKEY_CLASSES_ROOTexefileshellopencommand=""C:recycledSirC32.exe" "%1" %*"

    and creates a third:

    HKEY_LOCAL_MACHINESoftwareSirCam

    The first key causes the worm to run when Windows starts. The second causes the worm to be run whenever any .EXE program is executed. The worm gets a list of .DOC, .XLS and .ZIP files in the "My Documents" folder (this list is also saved in the file scd.dll, created in the System directory). It appends one of these files to the end of itself and saves the result to the Recycled folder, adding the second extension to the filename as listed previously. This file is attached to the emails that the worm sends.

    The worm may make several copies of itself with different DOC, XLS or ZIP files attached, depending upon what it finds in the "My Documents" folder. It continually sends these copies out to addresses it finds in the Windows address book and Internet cache files, and may send multiple copies to the same address.

    The worm also spreads using Windows shared drives. If it finds a share with a "RECYCLED" directory it copies itself into that directory with the name "SirC32.exe". If it finds an "AUTOEXEC.BAT" file on the share it adds the following line to it:

    @win recycledSirC32.exe

    Finally, it looks for "windowsrundll32.EXE" on the share and replaces it with the worm, renaming the original to "run32.exe". When the worm is executed from "rundll32.exe" it automatically executes the backup file "run32.exe".

    The worm contains two payloads. One deletes all files and subdirectories on the hard drive which Windows is installed on (usually C [img]images/smiles/converted/smile.gif[/img]. The other writes a file called "SirCam.Sys" to the "Recycled" directory. Neither of these payloads are activated under normal circumstances due to the bug in the worm’s random number checking. However, they may be activated if one of the worm’s files is renamed or modified before being run.

    Detection for this worm has been added to the following virus engine/virus signature combination. Install this update or later to ensure protection:

    CA Anti-Virus Product Engine/Signature
    InoculateIT 4.x 26.17
    InoculateIT 6.0 23.44.17
    InoculateIT Personal Edition 5.2/1357
    VET 10.3/1357

    Please Note: The cleaning instructions listed below are relevant to users of InoculateIT 4.x. All other CA AntiVirus products will not only detect this worm, but will clean the infection from the system as well.

    Cleaning -Please read carefully:
    If the infected machine does not have up-to-date virus protection you will need to follow the steps below to remove the registry keys created by the worm and then clean the infected files:

    Click here to download an INF file (named sircam.inf).
    Save the file to your desktop.
    Right-click on the file and choose "Install" to run it. This file will remove the keys that the worm has added to the registry.
    If you cannot launch Windows Explorer to find the file, please use the "My Computer" icon on the desktop to locate it. Alternatively, right-click the "My Computer" icon and select "Explore" to launch Windows Explorer.

    Note: After running this file, you may be prompted to restart your machine in order to complete the installation. If this should occur, please do so immediately.

    Or
    If you need to manually clean the virus from your system, click here for detailed instructions. Please note that these instructions have been developed to assist experienced IT professionals who have considerable knowledge of and experience using the operating systems affected by this virus. We recommend that extreme care be exercised when making any amendments to the registry and strongly suggest that you create a backup of your registry settings before commencing.

    Instructions for manual cleaning of Win32.SirCam.137216 infection.

    1. Delete the registry value "Driver32" in

    "HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices".

    2. Delete the registry key:

    "HKEY_LOCAL_MACHINESoftwareSirCam"

    and its sub keys.

    3. Change the value "(Default)" in

    "HKEY_CLASSES_ROOTexefileshellopencommand"

    to its original state (usually "%1" %*).

    4. Delete the files: RecycledSirc32.exe, WindowsSystemSCam32.exe.

    5. Scan with action to cure.

    6. 6. In systems where rundll32.EXE was detected and renamed, search for the file run32.exe and rename this file rundll32.EXE.

    7. Reboot and remove files with .AVB or .AV0 extensions

    After completing this procedure, we recommend that users password protect shares (to avoid reinfection after reconnecting to the network).

    #82908

    jeremiah
    Keymaster

    Wow, thanks for all the info Spaceboy!

    Hope no one gets here gets infected!

    #82909

    ScreamingTree
    Participant

    I just spent an hour going through deleting it…my comp was sending random files of MINE that it had INFECTED to COMPLETE STRANGERS…godammit I hate the world. This is why people suck. I got infected with this nasty thing back in October and it’s been dormant for awhile until today when I realized I had sent 20 emails to random adressess with a snes video game I downloaded and a text document I made. wow. what a terrible virus… [img]images/smiles/converted/mad.gif[/img] [img]images/smiles/converted/frown.gif[/img] [img]images/smiles/converted/confused.gif[/img] [img]images/smiles/converted/angryrazz.gif[/img] [img]images/smiles/converted/pissed.gif[/img] [img]images/smiles/converted/rocketwhore.gif[/img] [img]images/smiles/converted/killtard.gif[/img] [img]images/smiles/converted/bash.gif[/img] [img]images/smiles/converted/cussing.gif[/img]

    #82910

    everyonelovesjaron
    Participant

    <BLOCKQUOTE><font>quote:</font><HR>Originally posted by Tom N:
    <STRONG>I just spent an hour going through deleting it…my comp was sending random files of MINE that it had INFECTED to COMPLETE STRANGERS…godammit I hate the world. This is why people suck. I got infected with this nasty thing back in October and it’s been dormant for awhile until today when I realized I had sent 20 emails to random adressess with a snes video game I downloaded and a text document I made. wow. what a terrible virus… [img]images/smiles/converted/mad.gif[/img] [img]images/smiles/converted/frown.gif[/img] [img]images/smiles/converted/confused.gif[/img] [img]images/smiles/converted/angryrazz.gif[/img] [img]images/smiles/converted/pissed.gif[/img] [img]images/smiles/converted/rocketwhore.gif[/img] [img]images/smiles/converted/killtard.gif[/img] [img]images/smiles/converted/bash.gif[/img] [img]images/smiles/converted/cussing.gif[/img]</STRONG><HR></BLOCKQUOTE>

    Oh man, that sucks. I’m sorry you got bit by that nasty scourge.

    #82911

    ScreamingTree
    Participant

    Thank you ELJ, I’m just glad it’s over. I like my smilies in that post. If they weren’t there I would’ve destroyed something real… but these smiles are just as good. [img]images/smiles/converted/smile.gif[/img]

    #82912

    everyonelovesjaron
    Participant

    <BLOCKQUOTE><font>quote:</font><HR>Originally posted by Tom N:
    <STRONG>Thank you ELJ, I’m just glad it’s over. I like my smilies in that post. If they weren’t there I would’ve destroyed something real… but these smiles are just as good. [img]images/smiles/converted/smile.gif[/img]</STRONG><HR></BLOCKQUOTE>

    Yeah, other then the ones over to the left that I just click on, I know maybe 2 smilies and once again, FAR too lazy to look them up.

    I’m fairly certain there’s not a :raisetheroof: smilie, though.

Viewing 11 posts - 1 through 11 (of 11 total)

You must be logged in to reply to this topic.