Original release date: July 25, 2001<BR>
Last revised: August 23, 2001<br>

Source: CERT/CC<BR>

<P>A complete revision history can be found at the end of this file.

<A NAME="affected"></a>
<H3>Systems Affected</H3>

<li>Microsoft Windows (all versions)</li>

<A NAME="overview"></a>
<H2>Overview</H2> 

<P>"W32/Sircam" is malicious code that spreads through email
and potentially through unprotected network shares.  Once the malicious
code has been executed on a system, it may reveal or delete sensitive
information.
<P>
As of 10:00EDT(GMT-4) Jul 25, 2001 the CERT/CC has received reports
of W32/Sircam from over 300 individual sites.

<A NAME="description">
<H2>I. Description</H2>

<P>W32/Sircam can infect a machine in one of two ways:</P>

<UL>
<li>When executed by opening an email attachment containing the
malicious code</li> 

<li>By copying itself into unprotected network shares</li>
</UL>

<h4>Propagation Via Email</h4>

<p>The virus can appear in an email message written in either English
or Spanish with a seemingly random subject line.  All known versions
of W32/Sircam use the following format in the body of the
message:</p>

<table border=0>
<tr><td align="center">English</td><td align="center">Spanish</td></tr>
<tr><td>
<pre>
       Hi! How are you?
       <i>[middle line]</i>
       See you later. Thanks
</pre>
</td>
<td>
<pre>
       Hola como estas ?
       <i>[middle line]</i>
       Nos vemos pronto, gracias.
</pre>
</td>
</tr>
</table>

<p>Where <font face="Courier New"><i>[middle line]</i></font> is one of the following:</p>


<table border=0>
<tr><td align="center">English</td></tr>

<tr><td>
<pre>
I send you this file in order to have your advice
I hope you like the file that I sendo you
I hope you can help me with this file that I send
This is the file with the information you ask for
</pre>
</td></tr>

<tr><td align="center">Spanish</td></tr>

<tr><td>
<pre>
Te mando este archivo para que me des tu punto de vista
Espero te guste este archivo que te mando
Espero me puedas ayudar con el archivo que te mando
Este es el archivo con la informacion que me pediste
</pre>
</td></tr>
</table>

<P>Users who receive copies of the malicious code through electronic mail
might recognize the sender. We encourage users to avoid opening
attachments received through electronic mail, regardless of the
sender's name, without prior knowledge of the origin of the file or a
valid digital signature.</p>

<p>The email message will contain an attachment whose name matches the subject line and has a double
file extension (e.g.  <font face="Courier New">subject.ZIP.BAT</font> or 
<font face="Courier New">subject.DOC.EXE</font>).  The CERT/CC has confirmed
reports that the first extension may be 
<font face="Courier New">.DOC</font>, <font face="Courier New">.XLS</font>, or 
<font face="Courier New">.ZIP</font>. Anti-virus vendors have referred to
additional extensions, including <font face="Courier New">.GIF</font>, <font face="Courier New">.JPG</font>, 
<font face="Courier New">.JPEG</font>, <font face="Courier New">.MPEG</font>, 
<font face="Courier New">.MOV</font>, <font face="Courier New">.MPG</font>, 
<font face="Courier New">.PDF</font>, <font face="Courier New">.PNG</font>, and 
<font face="Courier New">.PS</font>.  The second extension will be  
<font face="Courier New">.EXE</font>,  <font face="Courier New">.COM</font>,  
<font face="Courier New">.BAT</font>, <font face="Courier New">.PIF</font>, 
or  <font face="Courier New">.LNK</font>.  The attached file contains both the 
malicious code and the contents of a file copied from an infected system.</p>

<p>When the attachment is opened, the copied file is extracted to
both the <font face="Courier New">%TEMP%</font> folder (usually 
<font face="Courier New">C:\WINDOWS\TEMP</font>) and the 
<font face="Courier New">Recycled</font> folder on
the affected system.  The original file is then opened using the
appropriate default viewer while the infection process continues in
the background.</p>

<p>It is possible for the recipient to be tricked into opening this
malicious attachment since the file will appear without the 
<FONT FACE="COURIER NEW">.EXE</FONT>, 
<FONT FACE="COURIER NEW">.BAT</FONT>,  <FONT FACE="COURIER NEW">.COM</FONT>,
<FONT FACE="COURIER NEW">.LNK</FONT>, or 
<FONT FACE="COURIER NEW">.PIF</FONT> extensions if the "Hide file extensions 
for known file types" is enabled in Windows.  See <a
href="http://www.cert.org/incident_notes/IN-2000-07.html">IN-2000-07</a>
for additional information on the exploitation of hidden file
extensions.</p>

<p>W32/Sircam includes its own SMTP client capabilities, which it uses to
propagate via email.  It determines its recipient list by recursively searching
for email addresses contained in all <font face="Courier New">*.wab</font> (Windows Address Book)
files in the <font face="Courier New">%SYSTEM%</font> folder.
Additionally, it searches the folders referred to by 

<dl><dd>
<font face="Courier New">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache</font> </dd>
</dl>

for files containing email addresses.  All addresses found are stored
in <font face="Courier New">SC??.DLL</font> or 
<font face="Courier New">S??.DLL</font> files hidden in the 
<font face="Courier New">%SYSTEM%</font> folder.</p>

<p>W32/Sircam first attempts to send messages using the default email
settings for the current user.  If the default settings are not
present, it appears to use one of the following SMTP relays:</p>

<ul>
<li><font face="Courier New">prodigy.net.mx</font>
<LI>NetBIOS name for '<font face="Courier New">MAIL</font>'
<li><font face="Courier New">mail.&lt;defaultdomain&gt;</font> 
(e.g., <font face="Courier New">mail.example.org</font>)
<li><font face="Courier New">dobleclick.com.mx</font>
<li><font face="Courier New">enlace.net</font>
<li><font face="Courier New">goeke.net</font>
</ul>

<h4>Propagation Via Network Shares</h4>

<p>In addition to email-based propagation, analysis by anti-virus
vendors suggests that W32/Sircam can spread through unprotected network
shares.  Unlike the email propagation method, which requires a user
to open an attachment to infect the machine, propagation of W32/Sircam
via network shares requires no human intervention.</p>

<p>If W32/Sircam detects Windows networking shares with write access,
it

<ol>

<li>copies itself to <font face="Courier New">\\[share]\Recycled\SirC32.EXE</font>
</li>

<li>appends "<font face="Courier New">@ win\Recycled\SirC32.exe</font>" to <font face="Courier New">AUTOEXEC.BAT</font></li>

</ol>
<p>If the share contains
a <font face="Courier New">Windows</font> folder, it also</p>
<ol start="3"> 

<li>copies <font face="Courier New">\\[share]\Windows\rundll32.exe</font> to
     <font face="Courier New">\\[share]\Windows\run32.exe</font></li>

<li>copies itself to <font face="Courier New">\\[share]\Windows\rundll32.exe</font></li>

<li>when virus is executed from <font face="Courier New">rundll32.exe</font>, it calls 
     <font face="Courier New">run32.exe</font></li>

</li>
</ol>


<h4>Infection process</h4>

<ol>
<li>When installed on a victim machine, W32/Sircam installs a copy of
itself in two hidden files:

<ul>
<li><font face="Courier New">%SYSTEM%\SCam32.exe</font></li>
<li><font face="Courier New">Recycled\SirC32.exe</font></li>
</ul>

<P>Installing in <font face="Courier New">Recycled</font> may hide it
from anti-virus software since some do not check this folder by
default.</p>

<p>Based on external analyses, there is also a probability that W32/Sircam will
copy itself to the <font face="Courier New">%SYSTEM%</font> folder as <font face="Courier New">ScMx32.exe</font>.  In that case,
another copy is created in the folder referred to by
<font face="Courier New">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders\Startup</font> (the current user's personal startup folder).  The
copy created in that location is named <font face="Courier New">Microsoft Internet
Office.exe</font>. When the affected user next logs in, this copy of
W32/Sircam will be started automatically.</p>
</li>

<p>
<li>The registry entry 
<font face="Courier New">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Driver32</font>
is set to <font face="Courier New">%SYSTEM%\SCam32.exe</font> so that
W32/Sircam will run automatically at system startup.</li>

<p>
<li>The registry entry 
<font face="Courier New">HKEY_CLASSES_ROOT\exefile\shell\open\command</font> is set to
<font face="Courier New">"C:\Recycled\SirC32.exe" "%1" %*"</font>, causing W32/Sircam to execute
whenever another executable is run.</li>

<p>
<li>A new registry entry, <font face="Courier New">HKEY_LOCAL_MACHINE\Software\SirCam</font>, is created to store
data required by W32/Sircam during execution.</li>

<p>
<li>W32/Sircam searches for filenames with  <font face="Courier New">.DOC</font>,  <font face="Courier New">.XLS</font>,  <font face="Courier New">.ZIP</font>
extensions in the folders referred to by 

<p>
<DL><DD>
<font face="Courier New">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders\Personal</font>
</dd>
<p>
<DD>
<font face="Courier New">
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop</font></dd>
</DL>

<p>While the personal folder may vary with configuration, it is often set
to <font face="Courier New">\My Documents</font> or <font face="Courier New">\Windows\Profiles\%username%\Personal</font>.  A list of these files is stored in
<font face="Courier New">%SYSTEM%\scd.dll</font>.
</li>

<p>
<li>W32/Sircam attaches its own binary to selected files it
finds and stores the combined file in the <font face="Courier New">Recycled</font> folder.
</li>

</ol>

<A NAME="impact"></a>
<H2>II. Impact</H2>

W32/Sircam can have a direct impact on both the computer which was
infected as well as those with which it communicates over email.

<UL>
<P>
<LI><B>Breaches of confidentiality</B>: The malicious code will at a
minimum search through select folders and mail potentially sensitive
files. This form of attack is extremely serious since it is one from
which it is impossible to recover.  Once a file has been publicly
distributed, any potentially sensitive information in it cannot be
retracted.
</LI>

<P>
<LI><B>Limit Availibility (Denial of Service)</B>
<P>
<UL>
<LI><B>Fill entire hard drive:</B> Based on external analyses, on any
given day, there is a probability that it will create a file named
<font face="Courier New">C:\Recycled\sircam.sys</font> which consumes all free space on
the <font face="Courier New">C:</font> drive.  A full disk will prevent users from saving
files to that drive, and in certain configurations impede system-level
tasks (e.g., swapping, printing).
<P>
<LI><B>Propagation via mass emailing:</B> W32/Sircam will attempt
to propagate by sending itself through email to addresses obtained as described above.
This propagation can lead to congestion in mail
servers that may prevent them from functioning as expected.
       
<P>
NOTE: Since W32/Sircam uses native SMTP routines connecting to pre-defined
mail servers, propagation is independent of the mail client software
used.



</UL>
<P>
<LI><B>Loss of Integrity:</B> Published reports indicate that on
October 16 there is a reasonable probability that W32/Sircam will
attempt to recursively delete all files from the drive on which
Windows is installed (typically <font face="Courier New">C:</font>).

</UL>


<A NAME="solution"></a>
<H2>III. Solution</H2>

<H4>Run and Maintain an Anti-Virus Product</H4>

<P>It is important for users to update their anti-virus software.
Most anti-virus software vendors have released updated information,
tools, or virus databases to help detect and partially recover from 
this malicious code.  A
list of vendor-specific anti-virus information can be found in <A
HREF="#vendors">Appendix A</A>.

<P>
Many anti-virus packages support automatic updates of virus definitions. 
We recommend using these automatic updates when available.

<H4>Exercise Caution When Opening Attachments</H4>

<P>Exercise caution when receiving email with attachments.  
Users should never open attachments from an untrusted
origin, or ones that appear suspicious in any way.  Finally, 
cryptographic checksums should also be used to validate the
integrity of the file.

<P>
The effects of this class of malicious code are
activated only when the file in question is executed. Social
engineering is typically employed to trick a recipient into executing
the malicious file. The best advice with regard to malicious files is 
to avoid executing them in the first place. The following tech tip
offers suggestions as to how to avoid them:

<P>
<DL><DD>
<A HREF="http://www.cert.org/tech_tips/virusprotection.html">
Protecting yourself from Email-borne Viruses and Other Malicious Code During Y2K and Beyond</A> 
</dl>

<H4>Filter the Email or use a Firewall</H4>

<P>Sites can use email filtering techniques to delete messages
containing subject lines known to contain the malicious code, or they can filter 
all attachments.

<P>Likewise, a firewall or border router can be used to stop the
W32/Sircam outbound SMTP connections to mail servers outside of
the local network.  This filtering strategy will prevent further
propagation of the worm from a particular host when the local mail
configuration is not used.

<A NAME="vendors"></a>
<H2>Appendix A. - Vendor Information</H2>

<h3>Aladdin Knowledge Systems</h3>
<DL><DD>
<a href="http://www.esafe.com/home/csrt/valerts2.asp?virus_no=10068">http://www.esafe.com/home/csrt/valerts2.asp?virus_no=10068</a>
</DL>
<h3>Central Command, Inc.</h3>
<DL><DD>
<a href="http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_adp.php?p_refno=010718-000010">http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_adp.php?p_refno=010718-000010</a>
</DL>
<h3>Command Software Systems</h3>
<DL><DD>
<a href="http://www.commandsoftware.com/virus/sircam.html">http://www.commandsoftware.com/virus/sircam.html</a>
</DL>
<h3>Computer Associates</h3>
<dl><dd>
<a href="http://www.cai.com/virusinfo/encyclopedia/descriptions/s/sircam137216.htm">http://www.cai.com/virusinfo/encyclopedia/descriptions/s/sircam137216.htm</a>
</DL>
<h3>Data Fellows Corp</h3>
<DL><DD>
<a href="http://www.datafellows.com/v-descs/sircam.shtml"> http://www.datafellows.com/v-descs/sircam.shtml</a>
</DL>
<h3>McAfee</h3>
<DL><DD>
<a href="http://vil.mcafee.com/dispVirus.asp?virus_k=99141&">http://vil.mcafee.com/dispVirus.asp?virus_k=99141&</a>
</DL>
<h3>Norman Data Defense Systems</h3>
<DL><DD>
<a href="http://www.norman.com/virus_info/w32_sircam.shtml">http://www.norman.com/virus_info/w32_sircam.shtml</a>
</DL>
<h3>Panda Software</h3>
<DL><DD>
<a href="http://www.pandasoftware.es/vernoticia.asp?noticia=987">http://www.pandasoftware.es/vernoticia.asp?noticia=987</a>
</DL>
<h3>Proland Software</h3>
<DL><DD>
<a href="http://www.pspl.com/virus_info/worms/sircam.htm">http://www.pspl.com/virus_info/worms/sircam.htm</a>
</DL>
<h3>Sophos</h3>
<dl><DD>
<a href="http://www.sophos.com/virusinfo/analyses/w32sircama.html">http://www.sophos.com/virusinfo/analyses/w32sircama.html</a>
</DL>
<h3>Symantec</h3>
<DL><DD>
<a href="http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html">http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html</a>
</dl>
<h3>Trend Micro</h3>
<dl><DD>
<a href="http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SIRCAM.A">http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SIRCAM.A</a>
</DL>

<p>
You may wish to visit the CERT/CC's Computer Virus Resources Page located at:
<A HREF="http://www.cert.org/other_sources/viruses.html">
<P>
<BLOCKQUOTE>
http://www.cert.org/other_sources/viruses.html</A>
</BLOCKQUOTE>

<HR NOSHADE>

Authors: <A HREF="mailto:cert@cert.org?subject=CA-2001-22%20Feedback">Roman Danyliw, Chad Dougherty, Allen Householder</a>

<!--#include virtual="/include/footer_nocopyright.html" -->


<P>Copyright 2001 Carnegie Mellon University.</P>

<P>Revision History
<PRE>
Jul 25, 2001: Initial release
Jul 25, 2001: The virus does NOT search the Desktop registry key for address books.  Additionally, correct EST to EDT.
Aug 23, 2001: Updated contact information
</PRE>