http://news.cnet.com/news/0-1003-200-6647394.html?tag=tp_pr http://news.bbc.co.uk/hi/english/sci/tech/newsid_1454000/1454155.stm http://www.ananova.com/news/story/sm_358641.html?menu=news.technology If Found, here are to steps to remove the Sircam Worm: The W32.Sircam.Worm@mm Fix tool deletes the files infected with the W32.Sircam.Worm@mm worm and removes the changes that were made to a computer by this virus. NOTE: When the tool has finished running, you will see a message indicating whether the computer was infected by the W32.Sircam.Worm@mm worm. In the case of a removal of the worm, the program displays the following results: The total number of the scanned files. The number of deleted files. The number of registry keys that were fixed. To obtain and run the tool: 1. Go to <http://www.symantec.com/avcenter/FixSirc.com>. 2. Download the Fixsirc.com file to the a convenient location, such as your download folder or the Windows desktop. 3. Double-click the Fixsirc.com file to start the repair tool. 4. Click Start to begin the process, and then allow the tool to run. What the tool does The W32.Sircam.Worm@mm removal tool does the following: 1. It scans and deletes files infected with the W32.Sircam.Worm@mm worm. 2. The tool removes the following registry key: HKEY_LOCAL_MACHINE\Software\SirCam 3. In the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\RunServices it deletes the following value: Driver32 4. In the registry key HKEY_CLASSES_ROOTexefile\shell\open\command the tool modifies the [Default] value by setting it to: "%1" %* 5. The tool removes the line "@win \recycled\sirc32.exe" from the C:\Autoexec.bat file. -----Original Message----- From: borakovej [mailto:borakoveat_private] Sent: Monday, July 23, 2001 4:29 PM To: Tulchinskiy, Sasha; incidentsat_private Subject: SIRCAM WORM? Has anyone heard of the SirCam Worm???? ----- Original Message ----- From: "Tulchinskiy, Sasha" <STulchinskiyat_private> To: <incidentsat_private> Sent: Friday, July 20, 2001 6:45 AM Subject: RE: CodeRed > BlackICE Agent for Servers reports it to ICECap console as > Issue 2002608 "ISAPI extension overflow" > > Sasha. > > -----Original Message----- > From: Ryan Russell [mailto:ryanat_private] > Sent: Thursday, July 19, 2001 5:18 PM > To: incidentsat_private > Subject: CodeRed > > > Here's a copy of CodeRed, as captured by my elite honeypot: > > nc -l -p 80 > c:\gotcha > > It's in a password protected .zip file, password is "worm" without the > quotes. The zip file is only about 2K, so it shouldn't cause undue stress > on anyone's mail server or client. > > There is a rule available for Snort: > http://www.whitehats.com/info/IDS552 > > BlackICE defender spotted this one as "Suspicious URL": > 39, 2001-07-19 20:05:28, 2002500, Suspicious URL, 203.138.114.17, > st0017.nas911.sapporo.nttpc.ne.jp, x.x.x.x, , , 1, > > And I'm not aware of other IDS' that catch this. (Though I'd like to be > corrected if that's not the case.) > > Ryan > > > ------------------------------------------------------------------------ -- -- > > > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: > > http://aris.securityfocus.com > > ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 09:01:07 PDT