Manaul Removal Procedure
is an e-mail worm which sends itself as well as clean documents from an
infected machine. The worm arrives in a message which may be either
English or Spanish. The English messages appear like this:
The middle is chosen from the following list. However, due to a bug in the worm's random number checking, the first line is always used:
The Spanish message looks like:
The middle line is from the following list, but once again only the first line is ever chosen:
The attachment name is variable, but will have a double extension, for example "SCRIPT.DOC.PIF". The actual extension may be "PIF", "LNK", "BAT", "EXE" or "COM". The subject of the message matches the attachment name, except without the extensions. In the above example the subject would be "SCRIPT".
When run, the worm copies itself to "C:\RECYCLED\SirC32.exe" as well as "SCam32.exe" in the Windows System directory. It modifies two registry keys:
and creates a third:
The first key causes the worm to run when Windows starts. The second causes the worm to be run whenever any .EXE program is executed. The worm gets a list of .DOC, .XLS and .ZIP files in the "My Documents" folder (this list is also saved in the file scd.dll, created in the System directory). It appends one of these files to the end of itself and saves the result to the Recycled folder, adding the second extension to the filename as listed previously. This file is attached to the emails that the worm sends.
The worm may make several copies of itself with different DOC, XLS or ZIP files attached, depending upon what it finds in the "My Documents" folder. It continually sends these copies out to addresses it finds in the Windows address book and Internet cache files, and may send multiple copies to the same address.
The worm also spreads using Windows shared drives. If it finds a share with a "RECYCLED" directory it copies itself into that directory with the name "SirC32.exe". If it finds an "AUTOEXEC.BAT" file on the share it adds the following line to it:
Finally, it looks for "\windows\rundll32.EXE" on the share and replaces it with the worm, renaming the original to "run32.exe". When the worm is executed from "rundll32.exe" it automatically executes the backup file "run32.exe".
The worm contains two payloads. One deletes all files and subdirectories on the hard drive which Windows is installed on (usually C:). The other writes a file called "SirCam.Sys" to the "Recycled" directory. Neither of these payloads are activated under normal circumstances due to the bug in the worm's random number checking. However, they may be activated if one of the worm's files is renamed or modified before being run.
remove the Trojan
Restore your system configurations through the registry.
Remove the dropped files:
Remove the Worm reference from AUTOEXEC.BAT:
Restore your RUNDLL32.EXE: