Flux rss
Reviews

The Sircam virus

Introduction to the Sircam virus

The Sircam virus (code name W32.Sircam.Worm@mm, Backdoor.SirCam or Troj_Sircam.a) is a worm which spreads by email. At particular risk are users of Microsoft Outlook in Windows 95, 98, Millenium, and 2000.

What the virus does

The Sircam worm randomly selects a document (with the extension .gif, .jpg, .mpg, .jpeg, .mpeg, .mov, .pdf, .png, .ps or .zip) found in the directory c:\My Documents\ on the infected computer, then automatically sends an email whose subject is the name of that document, and whose body is one of the two following messages:

  • In English: 
    "Hi! How are you?
    I send you this file in order to have your advice
    See you later. Thanks"
    "Hi! How are you?
I hope you can help me with this file that I send
See you later. Thanks"
    "Hi! How are you?
I hope you like the file that I send to you
See you later. Thanks"
  • Or in Spanish: 
    "Hola como estas ?
    Te mando este archivo para que me des tu punto de vista
    Nos vemos pronto, gracias."
The Sircam virus attaches a copy of itself whose name is that of the file found on the user's hard drive, with a double .vbs as its file extension.

The Sircam worm also may delete all files on your hard drive on 16 October of each year if your computer uses the European date format (day/month/year).

Sircam also adds text to the file c:\recycled\sircam.sys each time your machine is restarted, which may potentially fill up available space on the C:\ drive.

Symptoms of infection

Infected machines have the following files on their hard drives:

  • Sirc32.exe
  • Sircam.sys
  • Run32.exe

To check if you are infected, do a search for the files named above on all of your hard drives (Start / Search / For Files or Folders...).

Eradicating the virus

To eradicate the Sircam worm, the best method involves using an up-to-date antivirus software, or the virus removal tool offered by Symantec:
Download the virus removal tool

You can also remove the virus manually by following these steps:

  • Delete the files Sirc32.exe and Sircam.sys
  • Delete the file c:\windows\Runddl32.exe
  • Rename the file c:\windows\Run32.exe to c:\windows\Rundll32.exe
  • Edit the file c:\autoexec.bat  and delete the following sequence: @win \recycled\sirc32.exe
  • In the registry (which can be modified by running c:\windows\regedit.exe)
    • In HKEY_CLASSES_ROOT/exefile/shell/open/command, edit the string (by double-clicking on Default) and entering the following string: 
      "%1" %*
    • In HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/RunServices, delete the key Driver32=C:\WINDOWS\SYSTEM\SCam32.exe
    • In HKEY_LOCAL_MACHINE/Software, delete the folder Sircam
  • Restart your computer

More information about the virus



Last update on Thursday October 16, 2008 02:43:16 PM.
This document entitled « The Sircam virus » from Kioskea (en.kioskea.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the licence, as this note appears clearly.

Results for The Sircam virus

Viruses - Introduction to viruses A virus is a small computer program found within the body of another program which, when run, loads itself into the memory and carries out the instructions programmed by its author. The definition of a virus may be: « Any computer program which can... en.kioskea.net/virus/virus.php3
Viruses - Blaster / LovSan Appearing in the summer of 2003, LovSan (also known as W32/Lovsan.worm, W32/Lovsan.worm.b, W32.Blaster.Worm, W32/Blaster-B, WORM_MSBLAST.A, MSBLASTER, Win32.Poza, Win32.Posa.Worm, and Win32.Poza.B) is the first virus to exploit the security hole in... en.kioskea.net/virus/lovsan-blaster.php3
Viruses - Worms A worm is a self-reproducing program which can travel over networks using networking mechanisms, without requiring any software or hardware support (such as a hard drive, a host program, a file, etc.) to spread; a worm is therefore a network virus. ... en.kioskea.net/virus/worms.php3

Results for The Sircam virus

The First Steps to Virus/Spyware/Adware RemovalThe First Steps to Virus/Spyware/Adware Removal Step 1: Delete Temporary Files How to delete Temporary Files? How to delete Temporary Internet Files? Step 2: Get a good all in one Antivirus/Anti Spyware/ Anti Adware... en.kioskea.net/faq/sujet-205-the-first-steps-to-virus-spyware-adware-removal
MSN/ Windows Live Messenger virusesMSN/ Windows Live Messenger viruses How do I know if this is a virus and not a file sent by one of my contacts? What do I do if I accepted the file? To remove ‘IM-Names’ and PIC1234(1)(1)(1)(1)(1).exe virus Even MSN/WLM program... en.kioskea.net/faq/sujet-151-msn-windows-live-messenger-viruses
A Jpeg file can contain a virus?A Jpeg file can contain a virus? Truth: Links: ==Myth:== A Jpeg file can contain a viru Truth: A JPEG is a file can get infected. However, in order to activate the virus, the file must be run. As the JPEG file is an image file, it... en.kioskea.net/faq/sujet-384-a-jpeg-file-can-contain-a-virus
More answers

Results for The Sircam virus

Wich anti-virus (Solved)Hello, iam suffering please help me i want a good Anti virus en.kioskea.net/forum/affich-3841-wich-anti-virus
Best Anti Virus/ Firewall (Solved)Hello guys! I was wondering what you all thought was the best anti virus and firewall? What I mean is what has the best protection and uses the least amount of resources? Thanks in advance.... en.kioskea.net/forum/affich-1104-best-anti-virus-firewall
Unable to install Anti-virus and awtqo.dll foHi, I need help in my computer which I am unable to complete the installation of Anti-virus. Everytime I on the computer, SpyGuard will pop up and said detected 'awtqo.dll'. If I choose remove BHO, it will still pop-up again. I've... en.kioskea.net/forum/affich-1025-unable-to-install-anti-virus-and-awtqo-dll-fo
More answers

Results for The Sircam virus

Download AVG Anti-Virus FreeAVG Antivirus free is an free antivirus : Easy to use, low system resource Automatic update functionality Real-time protection as files are opened and programs are run Full e-mail protection AVG’s Virus Vault for the safe handling of... en.kioskea.net/telecharger/telecharger-64-avg-anti-virus-free
Download Clean Virus MSNViruses meet hereafter a bit on the net by all thinkable means everywhere. After mails , supporting they attack instantaneous freight forwarding. Clean Virus MSN is a tool which discerns automatically the viruses which circulate on MSN Messenger.... en.kioskea.net/telecharger/telecharger-992-clean-virus-msn
Download Clean Virus MSNThe viruses meet henceforth a little everywhere on the Net by all the conceivable means. After the emails virus diseases, now they attack with the instant messaging. Clean Virus MSN is a tool which automatically detects the viruses which circulate on... en.kioskea.net/telecharger/telecharger-1438-clean-virus-msn
More answers

Results for The Sircam virus

Phone viruses to spread as telecom, computer worlds merge, say expertsTwo people talk on their mobile phones in Hong Kong. Viruses and hacking on mobile phones are still rare but attacks are a looming danger as increasing numbers of people access the Internet and download files with their handsets, experts say. Viruses... en.kioskea.net/actualites/phone-viruses-to-spread-as-telecom-computer-worlds-merge-say-experts-10118-actualite.php3
Mobile phone viruses are rare, but concern high: surveyTwo people talk on their mobile phones in Hong Kong, 2002. A survey showed that viruses on mobile phones are still rare but nearly three-quarters of mobile phone users in developed countries are worried about security on their handsets. Viruses on... en.kioskea.net/actualites/mobile-phone-viruses-are-rare-but-concern-high-survey-10105-actualite.php3
Pro-Tibet groups bombarded with abusive calls, virusesTibetan demonstrators protest in front of the EU headquarter in Brussels on March 18. Pro-Tibet activists said Wednesday they have been bombarded with abusive phone calls and virus emails as they try to contact witnesses in Tibet and nearby amid a... en.kioskea.net/actualites/pro-tibet-groups-bombarded-with-abusive-calls-viruses-10215-actualite.php3
More answers

Results for The Sircam virus

Viruses - Removal tools A virus removal tool is a small executable file for cleaning a machine which has been infected by a particular virus. Each removal tool is therefore uniquely capable of eradicating a particular kind of virus, or a particular version of a virus. The... en.kioskea.net/virus/desinfection.php3
Viruses - Sasser Appearing in May 2004, the Sasser virus (also known as the W32/Sasser.worm, W32.Sasser.Worm, Worm.Win32.Sasser.a, Worm.Win32.Sasser.b or Win32.Sasser) is a virus which exploits a security hole in the LSASS (Local Security Authority Subsystem Service,... en.kioskea.net/virus/sasser.php3
Viruses - Nimda Le Nimda virus (code name W32/Nimda) is a worm which spreads by email. It also has four other ways to spread: The web Shared folders Microsoft IIS security holes File transfer At particular risk are users of Microsoft Outlook in Windows 95, 98,... en.kioskea.net/virus/nimda.php3
More answers