Zum ersten Mal seit Wochen (oder gar Monaten?) hat der Hersteller von Antivirussoftware, McAfee, eine Warnung mit der Stufe "HOHE Gefahr" herausgegeben.
Es betrifft mal wieder nur Windows-Benutzer. Der Wurm nutzt die inzwischen längst bekannten Schwachstellen: Doppelte Dateiamensendungen (z.B.: 'bild.gif.exe'). er kann sich selbst weiterverbreiten, dazu benutzt er echte Einträge aus dem Windowsadreßbuch.
Erkennungszeichen: Vorhandensein der Datei SCam32.exe (kann man über Start | Suchen | Dateien suchen).
Er versteckt sich im Papierkorb, weil viele Leute den Papierkorb beim Virensuchen ausschließen (warum eigentlich?).
Die Originalinformation auf Englisch:
Virus Name W32/SirCam@MM
Risk: High
Virus Information
Discovery Date: 07/17/2001
Length: 137,216 Type: Virus
SubType:E-mail
Description Added: 07/17/2001
Virus Characteristics Jul 23 - Due to the increase in samples, the risk assessment
for W32/SirCam@MM has been updated to HIGH.
For detection of W32/SirCam@MM, the LNK and PIF extensions need to be present on to the extension list or SCAN ALL FILES must be chosen.
This mass-mailing virus attempts to send itself and local
documents to all users found in the Windows Address Book
and email addresses found in temporary Internet cached files
(web browser cache).
It may be received in an email message containing the
following information:
Subject: [filename (random)]
Body: Hi! How are you?
I send you this file in order to have your advice
or I hope you can help me with this file that I send
or I hope you like the file that I sendo you
or This is the file with the information that you ask for
See you later. Thanks
--- the same message may be received in Spanish ---
Hola como estas ?
Te mando este archivo para que me des tu punto de vista
or Espero me puedas ayudar con el archivo que te mando
or Espero te guste este archivo que te mando
or Este es el archivo con la información que me pediste
Nos vemos pronto, gracias.
--- end message ---
Attached will be a document with a double extension (the
filename varies). The first extension will be the file type
which was prepended by the virus. When run, the document
will be saved to the C:\RECYCLED folder and then opened
while the virus copies itself to C:\RECYCLED\SirC32.exe
folder to conceal its presence and creates the following
registry key value to load itself whenever .EXE files are
executed:
HKCR\exefile\shell\open\command
\Default="C:\recycled\SirC32.exe" "%1" %*
As the RECYCLE BIN is often on the exclusion list, check
your settings to insure that this directory IS being scanned.
It also copies itself to the WINDOWS SYSTEM directory as
SCam32.exe and creates the following registry key value to
load itself automatically:
HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Driver32=C:\WINDOWS\SYSTEM\SCam32.exe
A list of .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF,
.PNG, .PS, and .ZIP files in the MY DOCUMENTS folder is
saved to the file SCD.DLL (the 2nd character of the name
appears to be random) in the SYSTEM directory. Email
addresses are gathered from the Windows Address Book
and temporary Internet cached pages and saved to the file
SCD1.DLL (the 2nd and 3rd character of the name appears
to be random) in the SYSTEM directory.
The worm prepends a copy of the files that are named in the
SCD.DLL file and attaches this copy to the email messages
that it sends via a built in for communicating directly with a
SMTP server, using one of the following extensions: .BAT,
.COM, .EXE, .LNK, .PIF. This results in attachment names
having double-extensions.
The program creates a registry key to store variables for
itself (such as a run count, and SMTP information
HKLM\Software\Sircam
The virus may also infect other systems by using open
network shares. On remote systems the file
\windows\rundll32.exe might get replaced with a viral copy.
On those systems, it might also append the autoexec.bat
with the line: @win \recycled\sirc32.exe.
Aside from e-mail overloading, it might delete files on 16
October and/or fill up harddisk space by adding text entries
over & over again to a sircam recycle bin file.
Symptoms
Presence of SCam32.exe in the WINDOWS SYSTEM
directory.
Method Of Infection
This virus sends itself, as an executable, to email
recipients found in the Windows Address Book and
addresses found in cached files. This executable is
appended with a document if one is found in MY
DOCUMENTS folder. The mailing routine talks SMTP to
a server and will use server address found in infected
executables. This address is presumably captured from
the victim's machine which sent the virus to you. If that
server is not in operation, or if relaying is not permitted,
the virus attempts to use each of these three servers,
stopping when the first successful send occurs.
doubleclick.com.mx
enlace.net
goeke.net
Removal Instructions
Use specified engine and DAT files for detection and
removal.
Registry Entries:
The W32/SirCam@MM virus makes changes to the registry.
HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Driver32=C:\WINDOWS\SYSTEM\SCam32.exe
HKLM\Software\Sircam
In Infected state: HKCR\exefile\shell\open\command
\Default="C:\recycled\SirC32.exe" "%1"%*
In Clean state this should be:
\Default=""%1"%*"
Note that manual modification of registry items is
dangerous and should not be needed at all as VirusScan
will clean all the registry items automatically.
Quelle:
ciao
Andreas
Es betrifft mal wieder nur Windows-Benutzer. Der Wurm nutzt die inzwischen längst bekannten Schwachstellen: Doppelte Dateiamensendungen (z.B.: 'bild.gif.exe'). er kann sich selbst weiterverbreiten, dazu benutzt er echte Einträge aus dem Windowsadreßbuch.
Erkennungszeichen: Vorhandensein der Datei SCam32.exe (kann man über Start | Suchen | Dateien suchen).
Er versteckt sich im Papierkorb, weil viele Leute den Papierkorb beim Virensuchen ausschließen (warum eigentlich?).
Die Originalinformation auf Englisch:
Virus Name W32/SirCam@MM
Risk: High
Virus Information
Discovery Date: 07/17/2001
Length: 137,216 Type: Virus
SubType:E-mail
Description Added: 07/17/2001
Virus Characteristics Jul 23 - Due to the increase in samples, the risk assessment
for W32/SirCam@MM has been updated to HIGH.
For detection of W32/SirCam@MM, the LNK and PIF extensions need to be present on to the extension list or SCAN ALL FILES must be chosen.
This mass-mailing virus attempts to send itself and local
documents to all users found in the Windows Address Book
and email addresses found in temporary Internet cached files
(web browser cache).
It may be received in an email message containing the
following information:
Subject: [filename (random)]
Body: Hi! How are you?
I send you this file in order to have your advice
or I hope you can help me with this file that I send
or I hope you like the file that I sendo you
or This is the file with the information that you ask for
See you later. Thanks
--- the same message may be received in Spanish ---
Hola como estas ?
Te mando este archivo para que me des tu punto de vista
or Espero me puedas ayudar con el archivo que te mando
or Espero te guste este archivo que te mando
or Este es el archivo con la información que me pediste
Nos vemos pronto, gracias.
--- end message ---
Attached will be a document with a double extension (the
filename varies). The first extension will be the file type
which was prepended by the virus. When run, the document
will be saved to the C:\RECYCLED folder and then opened
while the virus copies itself to C:\RECYCLED\SirC32.exe
folder to conceal its presence and creates the following
registry key value to load itself whenever .EXE files are
executed:
HKCR\exefile\shell\open\command
\Default="C:\recycled\SirC32.exe" "%1" %*
As the RECYCLE BIN is often on the exclusion list, check
your settings to insure that this directory IS being scanned.
It also copies itself to the WINDOWS SYSTEM directory as
SCam32.exe and creates the following registry key value to
load itself automatically:
HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Driver32=C:\WINDOWS\SYSTEM\SCam32.exe
A list of .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF,
.PNG, .PS, and .ZIP files in the MY DOCUMENTS folder is
saved to the file SCD.DLL (the 2nd character of the name
appears to be random) in the SYSTEM directory. Email
addresses are gathered from the Windows Address Book
and temporary Internet cached pages and saved to the file
SCD1.DLL (the 2nd and 3rd character of the name appears
to be random) in the SYSTEM directory.
The worm prepends a copy of the files that are named in the
SCD.DLL file and attaches this copy to the email messages
that it sends via a built in for communicating directly with a
SMTP server, using one of the following extensions: .BAT,
.COM, .EXE, .LNK, .PIF. This results in attachment names
having double-extensions.
The program creates a registry key to store variables for
itself (such as a run count, and SMTP information
HKLM\Software\Sircam
The virus may also infect other systems by using open
network shares. On remote systems the file
\windows\rundll32.exe might get replaced with a viral copy.
On those systems, it might also append the autoexec.bat
with the line: @win \recycled\sirc32.exe.
Aside from e-mail overloading, it might delete files on 16
October and/or fill up harddisk space by adding text entries
over & over again to a sircam recycle bin file.
Symptoms
Presence of SCam32.exe in the WINDOWS SYSTEM
directory.
Method Of Infection
This virus sends itself, as an executable, to email
recipients found in the Windows Address Book and
addresses found in cached files. This executable is
appended with a document if one is found in MY
DOCUMENTS folder. The mailing routine talks SMTP to
a server and will use server address found in infected
executables. This address is presumably captured from
the victim's machine which sent the virus to you. If that
server is not in operation, or if relaying is not permitted,
the virus attempts to use each of these three servers,
stopping when the first successful send occurs.
doubleclick.com.mx
enlace.net
goeke.net
Removal Instructions
Use specified engine and DAT files for detection and
removal.
Registry Entries:
The W32/SirCam@MM virus makes changes to the registry.
HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Driver32=C:\WINDOWS\SYSTEM\SCam32.exe
HKLM\Software\Sircam
In Infected state: HKCR\exefile\shell\open\command
\Default="C:\recycled\SirC32.exe" "%1"%*
In Clean state this should be:
\Default=""%1"%*"
Note that manual modification of registry items is
dangerous and should not be needed at all as VirusScan
will clean all the registry items automatically.
Quelle:
ciao
Andreas