Keylogger

The Sircam virus

Magistr
Il virus Sircam O vírus Sircam Le virus Sircam Le virus Sircam El virus Sircam

Introduction to the Sircam virus

The Sircam virus (code name W32.Sircam.Worm@mm, Backdoor.SirCam or Troj_Sircam.a) is a worm which spreads by email. At particular risk are users of Microsoft Outlook in Windows 95, 98, Millenium, and 2000.

What the virus does

The Sircam worm randomly selects a document (with the extension .gif, .jpg, .mpg, .jpeg, .mpeg, .mov, .pdf, .png, .ps or .zip) found in the directory c:\My Documents\ on the infected computer, then automatically sends an email whose subject is the name of that document, and whose body is one of the two following messages:

  • In English: 
    "Hi! How are you?
    I send you this file in order to have your advice
    See you later. Thanks"
    "Hi! How are you?
I hope you can help me with this file that I send
See you later. Thanks"
    "Hi! How are you?
I hope you like the file that I send to you
See you later. Thanks"
  • Or in Spanish: 
    "Hola como estas ?
    Te mando este archivo para que me des tu punto de vista
    Nos vemos pronto, gracias."
The Sircam virus attaches a copy of itself whose name is that of the file found on the user's hard drive, with a double .vbs as its file extension.

The Sircam worm also may delete all files on your hard drive on 16 October of each year if your computer uses the European date format (day/month/year).

Sircam also adds text to the file c:\recycled\sircam.sys each time your machine is restarted, which may potentially fill up available space on the C:\ drive.

Symptoms of infection

Infected machines have the following files on their hard drives:

  • Sirc32.exe
  • Sircam.sys
  • Run32.exe

To check if you are infected, do a search for the files named above on all of your hard drives (Start / Search / For Files or Folders...).

Eradicating the virus

To eradicate the Sircam worm, the best method involves using an up-to-date antivirus software, or the virus removal tool offered by Symantec:
Download the virus removal tool

You can also remove the virus manually by following these steps:

  • Delete the files Sirc32.exe and Sircam.sys
  • Delete the file c:\windows\Runddl32.exe
  • Rename the file c:\windows\Run32.exe to c:\windows\Rundll32.exe
  • Edit the file c:\autoexec.bat  and delete the following sequence: @win \recycled\sirc32.exe
  • In the registry (which can be modified by running c:\windows\regedit.exe)
    • In HKEY_CLASSES_ROOT/exefile/shell/open/command, edit the string (by double-clicking on Default) and entering the following string: 
      "%1" %*
    • In HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/RunServices, delete the key Driver32=C:\WINDOWS\SYSTEM\SCam32.exe
    • In HKEY_LOCAL_MACHINE/Software, delete the folder Sircam
  • Restart your computer

More information about the virus



Last update on Thursday October 16, 2008 02:43:16 PM.This document entitled « The Sircam virus » from Kioskea (en.kioskea.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the licence, as this note appears clearly.
Best answers for « The Sircam virus » in :
Viruses - Introduction to viruses Show Virus A virus is a small computer program found within the body of another program which, when run, loads itself into the memory and carries out the instructions programmed by its author. The definition of a virus may be: « Any computer...
The LovSan/Blaster virus Show Introduction to the LovSan virus Appearing in the summer of 2003, LovSan (also known as W32/Lovsan.worm, W32/Lovsan.worm.b, W32.Blaster.Worm, W32/Blaster-B, WORM_MSBLAST.A, MSBLASTER, Win32.Poza, Win32.Posa.Worm, and Win32.Poza.B) is the first...
Utilities for Removing Common Viruses and Worms Show What is a virus removal tool? A virus removal tool is a small executable file for cleaning a machine which has been infected by a particular virus. Each removal tool is therefore uniquely capable of eradicating a particular kind of virus, or a...
[Virus] System Volume Information Show[Virus] System Volume Information The System Volume Information folder is used by Windows XP for storing data on system configuration and is also used by the System Restore tool to store information and restore points. Restore points...
How to remove the virus CONFICKER / DOWNADUP / KIDO? ShowHow to remove the virus CONFICKER / DOWNADUP / KIDO What is the Conficker? How to avoid being infected by Conficker? Disinfect a computer affected by Conficker Preliminary Remove infection What is the Conficker? Conficker (also...
How to remove "NewFolder.exe" virus? ShowHow to remove "NewFolder.exe" virus? Issue Solution Issue Newfolder.exe is a virus (Malicious folder) which real name is Iddono, appear everywhere in your hard-drive. Once it is executed, some malicious process will be started like...
Download Clean Virus MSN ShowViruses meet hereafter a bit on the net by all thinkable means everywhere. After mails , supporting they attack instantaneous freight forwarding. Clean Virus MSN is a tool which discerns automatically the viruses which circulate on MSN Messenger....
Download Clean Virus MSN Show
Download Kaspersky Anti-Virus for Mac Show
The Nimda virus ShowIntroduction to the Nimda virus Le Nimda virus (code name W32/Nimda) is a worm which spreads by email. It also has four other ways to spread: The web Shared folders Microsoft IIS security holes File transfer At particular risk are users of...
The Bad Trans virus ShowIntroduction to the BadTrans virus The BadTrans virus (code name W32.BadTrans.B or W32/Badtrans-B) is a worm which spreads by e-mail. It also uses another method to spread: Microsoft Internet Explorer security flaws The BadTrans.B virus...
They need your help