Win32.SirCam.137216

Download
Removal
tool

Manaul Removal Procedure
(posted for Codex)

 

 Win32.SirCam.137216 is an e-mail worm which sends itself as well as clean documents from an infected machine. The worm arrives in a message which may be either English or Spanish. The English messages appear like this:

Hi! How are you?
I send you this file in order to have your advice
See you later. Thanks

The middle is chosen from the following list. However, due to a bug in the worm's random number checking, the first line is always used:

I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I sendo you
This is the file with the information that you ask for

The Spanish message looks like:

Hola como estas ?
Te mando este archivo para que me des tu punto de vista
Nos vemos pronto, gracias.

The middle line is from the following list, but once again only the first line is ever chosen:

Te mando este archivo para que me Des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es El archivo con la información que me pediste

The attachment name is variable, but will have a double extension, for example "SCRIPT.DOC.PIF". The actual extension may be "PIF", "LNK", "BAT", "EXE" or "COM". The subject of the message matches the attachment name, except without the extensions. In the above example the subject would be "SCRIPT".

When run, the worm copies itself to "C:\RECYCLED\SirC32.exe" as well as "SCam32.exe" in the Windows System directory. It modifies two registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Driver32="<Windows System>\SCam32.exe"
HKEY_CLASSES_ROOT\exefile\shell\open\command=""C:\recycled\SirC32.exe" "%1" %*"

and creates a third:

HKEY_LOCAL_MACHINE\Software\SirCam

The first key causes the worm to run when Windows starts. The second causes the worm to be run whenever any .EXE program is executed. The worm gets a list of .DOC, .XLS and .ZIP files in the "My Documents" folder (this list is also saved in the file scd.dll, created in the System directory). It appends one of these files to the end of itself and saves the result to the Recycled folder, adding the second extension to the filename as listed previously. This file is attached to the emails that the worm sends.

The worm may make several copies of itself with different DOC, XLS or ZIP files attached, depending upon what it finds in the "My Documents" folder. It continually sends these copies out to addresses it finds in the Windows address book and Internet cache files, and may send multiple copies to the same address.

The worm also spreads using Windows shared drives. If it finds a share with a "RECYCLED" directory it copies itself into that directory with the name "SirC32.exe". If it finds an "AUTOEXEC.BAT" file on the share it adds the following line to it:

@win \recycled\SirC32.exe

Finally, it looks for "\windows\rundll32.EXE" on the share and replaces it with the worm, renaming the original to "run32.exe". When the worm is executed from "rundll32.exe" it automatically executes the backup file "run32.exe".

The worm contains two payloads. One deletes all files and subdirectories on the hard drive which Windows is installed on (usually C:). The other writes a file called "SirCam.Sys" to the "Recycled" directory. Neither of these payloads are activated under normal circumstances due to the bug in the worm's random number checking. However, they may be activated if one of the worm's files is renamed or modified before being run.

 

 

 

 

 

 

 

 

 

 

 
To manually remove the Trojan

Restore your system configurations through the registry.

  1. If you are connected to the network, disconnect your computer from the network.
  2. Rename REGEDIT.EXE to REGEDIT.COM. If you want to use the fix tool, there is no need to rename the file
  3. Click Start>Run, type REGEDIT and then press Enter.
  4. In the left panel, click the (+) left of each of the below: HKEY_LOCAL_MACHINE
    Software
    Microsoft
    Windows
    CurrentVersion
    RunServices
  5. In the right panel, look for and then delete the registry value called Driver32.
  6. In the left panel, click the (+) left of each of the below:
    HKEY_LOCAL_MACHINE
    Software
    SirCam
  7. Click SirCam and then press the Delete key.
  8. In the left panel, click the (+) left of each of the below:
    HKEY_CLASSES_ROOT
    exefile
    shell
    open
    command
  9. In the right panel, right-click the (Default) value, then choose Modify.
  10. Change “C:\Recycled\SirC32.exe””%1”%* to “%1” %*. In other words, remove “C:\Recycled\SirC32.exe”.

Remove the dropped files:

  1. Go to the System directory (C:\Windows\System or C:\Winnt\System32).
  2. Type ATTRIB -S -H -R SCAM32.EXE to unhide the Trojan file.
  3. Type DEL SCAM32.EXE to delete the Trojan file.
  4. Go to the Recycled folder (C:\Recycled folder)

Note: Emptying the recycle bin does not effectively delete the dropped Trojan files in the folder. It is suggested that the command prompt be used when deleting the dropped files.

  1. Type ATTRIB -S -H -R SIRC32.EXE.
  2. Type DEL SIRC32.EXE to delete the Trojan file.

Remove the Worm reference from AUTOEXEC.BAT:

  1. Look for the AUTOEXEC.BAT file.
  2. Search and remove the string "@win \recycled\Sirc32.exe"

Restore your RUNDLL32.EXE:

  1. Search for RUN32.EXE in your WINDOWS folder. If not found, then the worm did not overwrite your RUNDLL32.EXE.
  2. If found, delete RUNDLL32.EXE and rename RUN32.EXE to RUNDLL32.EXE.
  3. Restart your system

Note: If you found the worm entry in the AUTOEXEC.BAT file or if you found the RUN32.EXE file in the Windows directory, this means that other computers in your network are also infected. For protection, minimize giving full access to your drives and as much as possible DO NOT share your Windows and System folder.