Getting Technical

For technical information about FidoNet please see www.ftsc.org

W32/SirCam Virus. Some information.
From Frank Vest

I've received several of these messages via my e-mail and the "editor@fidonews.org" account. Fortunately, my virus scanner will catch them and refuse to let them open. I've since learned how to recognize this type of e-mail.

Since this seems to be a common virus and many in Fidonet have some form of Internet connection, I did some looking and found out what this thing is and what it can do.

One note: The below text tells most of what this virus does and how to recognize it. I'll add that the e-mail has two files with it when received with Netscape Communicator and the below mentioned message is generally in the first file. The second file is the virus infected one.

I now simply delete the mail when I see it.

----

What virus is this?

This is a HIGH RISK virus that is spread to email recipients found in the Windows Address Book and addresses found in cached files.

The infected email can come from addresses that you recognize. Attached is a file with two different extensions. The file name itself varies.

The email message can appear as follows:

Subject: [filename (random)]
Body:
Hi! How are you?

I send you this file in order to have your advice
or
I hope you can help me with this file that I send
or
I hope you like the file that I send to you
or
This is the file with the information that you ask for

See you later.
Thanks

--- the same message may be received in Spanish ---

Hola como estas ?

Te mando este archivo para que me des tu punto de vista
or
Espero me puedas ayudar con el archivo que te mando
or
Espero te guste este archivo que te mando
or
Este es el archivo con la informaci n que me pediste

Nos vemos pronto,
gracias.

---

What can this virus do?

When run, the document will be saved to the C:\RECYCLED folder and then opened while the virus copies itself to C:\RECYCLED\SirC32.exe folder to conceal its presence and creates a registry key value to load itself whenever .EXE files are executed.

The virus searches for .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG, .PS, and .ZIP files in the MY DOCUMENTS folder and attempts to send copies of these documents to email recipients found in the Windows Address Book and addresses found in cached files.