The Chip Board
Custom Search
   


Forgot your Password? RSS
Return to Index Gallery Index Read Responses

The Chip Board Archive 06

Re: SirCam Virus
In Response To: Re: ALSO DELETE IN RECYCLE BIN ()

The person sending it, does not know she is sending it out. The virus reads not only from the address list but also from cache. It sends a random real file from the persons computer and then attaches an infected file along with it.

What everyone else says is right, don't open any attachments, even from someone you know, unless you know what it is and why they are sending it.

If you use IE and preview is on, you can get infected. To date it is still impossible to get a virus/worm simply from reading an email. Running or opening a file is always the problem.

It appears that NT and Windows 2000 are immune to replication.

This worm arrives as an email message with the following content:

Subject: The subject of the email will be random, and will be the same

as the file name of the email attachment.

Attachment: The attachment is a file taken from the sender's computer

and will have the extension .bat, .com, .lnk or .pif added to it.

Message: The message body will be semi-random, but will always

contain one of the following two lines (either English or Spanish) as the

first and last sentences of the message.

First line: Hi! How are you?

Last line: See you later. Thanks

Between these two sentences, some of the following text may appear:

English Version:

I send you this file in order to have your advice

I hope you can help me with this file that I send

I hope you like the file that I sendo you

This is the file with the information that you ask for

There is a 1 in 33 chance that the following actions will occur:

The worm copies itself from C:\Recycled\Sirc32.exe to

%Windows%\Scmx32.exe

The worm copies itself as "Microsoft Internet Office.exe"

to the folder referred to by the registry key:

There is a 1 in 20 chance that on October 16th of any year,

the worm will recursively delete all files and folders on the C

drive.

This payload functions only on computers which use the date

format D/M/Y (as opposed to M/D/Y or similar formats).

Additionally, the payload will always activate immediately,

regardless of date and date format, if the file attached to the

worm contains the sequence "FA2" without the letters "sc"

following immediately.

The From: email address and mail server are taken from the

registry. If no email account exists, then the current user name

will be prepended to "prodigy.net.mx", eg if the current user

logged on as JSmith, then the address will be

"jsmith@prodigy.net.mx". Then the worm will attempt to connect

to a mail server. This will be either the mail server taken from the

registry, or one of

prodigy.net.mx

goeke.net

enlace.net

dobleclick.com.mx

The language used for the mail depends on the language used

by the sender. If the sender uses Spanish, then the mail will be

in Spanish, otherwise it will be in English. The attachment is

chosen randomly from the list of files in the scd.dll.

Here's and interesting part of the worm. The author just about signs his name.
[SirCam Version 1.0 Copyright ¬ 2000 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico]

Collectibles Links Updated three times a week

Messages In This Thread

BEWARE! Virus Alert
I just got one from her myself. sad
Re: I just got one from her myself. sad
I also got one
Re: I also got one
I just got " Stylus COLOR 400LPT"
Same person diff. email - "blank rental contract"
Me Too... Karen Thompson
Re: we got one too
Re: Mine said "corres1c ".. Same sender.
Re: BEWARE! Virus Alert
I Got One, Too
Re: ALSO DELETE IN RECYCLE BIN
Re: SirCam Virus
Re: Thanks for the info. Pete.....

Copyright 2022 David Spragg