Profile
TROJ_SIRCAM.A
Risk rating: medium risk
Virus type: Trojan
Destructive: Y
Aliases:
SCAM.A, TROJ_SCAM.A, W32.Sircam.Worm@mm
Description:
This Trojan propagates via email using SMTP commands. It sends copies of itself to all addresses listed in an infected user's address book. It arrives in an email with a random subject line, and an attachment by the same name. It has no destructive payload.
Solution:
First, restore your system configurations through the registry. To do this:
1. In the Windows Start Menu, choose Run, type Regedit and then press Enter.
2. On the left panel, follow the path HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices.
3. On the right panel, look for the registry value called Driver32.
4. Click this and press the Delete key.
5. On the left panel, follow the path HKEY_LOCAL_MACHINE\Software\SirCam.
6. Click SirCam and press the Delete key.
7. On the left panel, follow the path HKEY_CLASSES_ROOT\exefile\shell\open\command
8. On the right panel, right-click on the (Default) value, then choose Modify.
9. Change “C:\Recycled\SirC32.exe””%1”%*” to “%1” %*. Remove “C:\Recycled\SirC32.exe”.
It is important that steps 7 to 9 be followed before removing the Trojan file or else no executable file will be able to run. If the Trojan is deleted, REGEDIT is no longer accessible. Please rename regedit.exe to regedit.com then execute regedit. Then just follow the step 1-9.If the Trojan is not yet deleted, you can also use the tool fix_sircam.reg. This will remove the Trojan association from the registry.
Once the association is removed restart your system. Scan your system with Trend Micro antivirus and delete all files detected as TROJ_SIRCAM.A. To do this Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro’s free online virus scanner.
If you need further assistance with this solution, please send an email to
[email protected].
Technical Details
TROJ_SIRCAM.A
In the wild: Yes
Trigger condition 1: Upon execution
Payload 1: Creates Files
Detected by pattern file#: 917
Detected by scan engine#: 5.170
Language:
English, Spanish
Platform: Windows
Encrypted: No
Size of virus: 137,216 Bytes
Details:
The worm arrives as an attachment to the following email:
Subject: (random subject line, with the same name as the attachment)
Message body: (The body could be either in Spanish or English)
Hi! How are you?
I send you this file in order to have your advice OR I hope you can help me with this file that I send OR I hope you like the file that I send you OR This is the file with the information that you ask for
See you later. Thanks
Attachment: (random filename, with the same name as the subject line)
IN SPANISH:
Hola como estas ?
Te mando este archivo para que me des tu punto de vista OR Espero me puedas ayudar con el archivo que te mando OR Espero te guste este archivo que te mando OR Este es el archivo con la informacion que me pediste
Nos vemos pronto, gracias.
The attachment contains a copy of the worm merged with a randomly chosen file from the sender's computer.
Upon execution, this worm copies itself to a SCam32.EXE in the System directory. It then splits merged files in the attachment and drops these to a SIRC32.EXE file and a <Original filename of the merged file> in the C:\Recycled folder.
To execute every bootup, it creates the following registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\Driver32 = “C:\Windows\System\Scam32.exe”
It modifies the following registry entry:
HKEY_CLASSES_ROOT\exefile\shell\open\command = “”%1”%*”
to the following, to allow this Trojan to run whenever an .EXE file is executed:
HKEY_CLASSES_ROOT\exefile\shell\open\
command = “”C:\Recycled\SirC32.exe” ”%1”%*”
It also creates the following registry key, where it stores data:
HKEY_LOCAL_MACHINE\Software\SirCam
