RE: SIRCAM WORM?

From: Tony Spurlin (tspurlinat_private)
Date: Tue Jul 24 2001 - 08:03:27 PDT

  • Next message: acz [iSecureLabs]: "Re: SIRCAM WORM?"

    http://news.cnet.com/news/0-1003-200-6647394.html?tag=tp_pr
    http://news.bbc.co.uk/hi/english/sci/tech/newsid_1454000/1454155.stm
    http://www.ananova.com/news/story/sm_358641.html?menu=news.technology
    
    If Found, here are to steps to remove the Sircam Worm:
    The W32.Sircam.Worm@mm Fix tool deletes the files infected with the
    W32.Sircam.Worm@mm worm and removes the changes that were made to a
    computer by this virus. 
    NOTE: When the tool has finished running, you will see a message
    indicating whether the computer was infected by the W32.Sircam.Worm@mm
    worm. In the case of a removal of the worm, the program displays the
    following results: 
    The total number of the scanned files. 
    The number of deleted files. 
    The number of registry keys that were fixed.
    
    To obtain and run the tool: 
    1. Go to <http://www.symantec.com/avcenter/FixSirc.com>.
    2. Download the Fixsirc.com file to the a convenient location, such as
    your download folder or the Windows desktop.
    3. Double-click the Fixsirc.com file to start the repair tool.
    4. Click Start to begin the process, and then allow the tool to run.
    
    What the tool does
    The W32.Sircam.Worm@mm removal tool does the following: 
    1. It scans and deletes files infected with the W32.Sircam.Worm@mm worm.
    
    2. The tool removes the following registry key:
    
    HKEY_LOCAL_MACHINE\Software\SirCam
    
    3. In the registry key
    
    HKEY_LOCAL_MACHINE\Software\Microsoft\
    Windows\CurrentVersion\RunServices
    
    it deletes the following value:
    
    Driver32
    
    4. In the registry key
    
    HKEY_CLASSES_ROOTexefile\shell\open\command
    
    the tool modifies the [Default] value by setting it to:
    
    "%1" %*
    
    5. The tool removes the line "@win \recycled\sirc32.exe" from the
    C:\Autoexec.bat file.
    
    -----Original Message-----
    From: borakovej [mailto:borakoveat_private]
    Sent: Monday, July 23, 2001 4:29 PM
    To: Tulchinskiy, Sasha; incidentsat_private
    Subject: SIRCAM WORM? 
    
    
    Has anyone heard of  the SirCam Worm????
    ----- Original Message -----
    From: "Tulchinskiy, Sasha" <STulchinskiyat_private>
    To: <incidentsat_private>
    Sent: Friday, July 20, 2001 6:45 AM
    Subject: RE: CodeRed
    
    
    > BlackICE Agent for Servers reports it to ICECap console as
    > Issue 2002608 "ISAPI extension overflow"
    >
    > Sasha.
    >
    > -----Original Message-----
    > From: Ryan Russell [mailto:ryanat_private]
    > Sent: Thursday, July 19, 2001 5:18 PM
    > To: incidentsat_private
    > Subject: CodeRed
    >
    >
    > Here's a copy of CodeRed, as captured by my elite honeypot:
    >
    > nc -l -p 80 > c:\gotcha
    >
    > It's in a password protected .zip file, password is "worm" without the
    > quotes.  The zip file is only about 2K, so it shouldn't cause undue
    stress
    > on anyone's mail server or client.
    >
    > There is a rule available for Snort:
    > http://www.whitehats.com/info/IDS552
    >
    > BlackICE defender spotted this one as "Suspicious URL":
    > 39, 2001-07-19 20:05:28, 2002500, Suspicious URL, 203.138.114.17,
    > st0017.nas911.sapporo.nttpc.ne.jp, x.x.x.x, , , 1,
    >
    > And I'm not aware of other IDS' that catch this.  (Though I'd like to
    be
    > corrected if that's not the case.)
    >
    > Ryan
    >
    >
    >
    ------------------------------------------------------------------------
    --
    --
    >
    >
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see:
    >
    > http://aris.securityfocus.com
    >
    >
    
    
    ------------------------------------------------------------------------
    ----
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 09:01:07 PDT