Sircam
Originally Spotted 24/07/01

E-Mail Message Received (please note different mails may differ slightly)

Subject: [Random] (may be the same as the enclosed file

Body:
The first line is always
Hi! How are you?
It then inserts one of the following lines:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I sendo you
This is the file with the information that you ask for]
And then the last line is always
See you later. Thanks

Diagnosis

When executed, the worm performs the following actions:

It creates copies of itself as %TEMP%\<File name> and C:\Recycled\<file name>, which contain the attached document. This document is then launched using the program registered to handle the specific file type (For example, if it is saved as a file with the .doc extension, it will run using Microsoft Word or Wordpad. A file with the .xls extension will open in Excel, and one with the .zip extension will open in your default zip program such as WinZip.)

It copies itself to C:\Recycled\Sirc32.exe and %System%\Scam32.exe.

It adds the value

Driver32=%System%\scam32.exe

to the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

It creates the registry key

HKEY_LOCAL_MACHINE\Software\SirCam

with the following values:
FB1B - Stores the file name of the worm as stored in the Recycled directory.
FB1BA - Stores the SMTP IP address.
FB1BB - Stores the email address of the sender.
FC0 - Stores the number of times the worm has executed.
FC1 - Stores what appears to be the version number of the worm.
FD1 - Stores the file name of worm that has been executed, without the suffix.

The (Default) value of the registry key

HKEY_CLASSES_ROOT\exefile\shell\open\command

is set to

C:\recycled\sirc32.exe "%1" %*"

This enables the worm to execute itself any time that an .exe file is run.

The worm is network aware, and it will enumerate the network resources to infect shared systems. If any are found, it will do the following:
Attempt to copy itself to <Computer>\Recycled\Sirc32.exe
Add the line "@win \recycled\sirc32.exe" to the file <Computer>\Autoexec.bat
Copy <Computer>\Windows\Rundll32.exe to <Computer>\Windows\Run32.exe
Replace <Computer>\Windows\rundll32.exe with C:\Recycled\Sirc32.exe

There is a 1 in 33 chance that the following actions will occur:
The worm copies itself from C:\Recycled\Sirc32.exe to %Windows%\Scmx32.exe
The worm copies itself as "Microsoft Internet Office.exe" to the folder referred to by the registry key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup

If this first payload activates, the file C:\recycled\Sircam.sys is created and filled with text until there is no remaining disk space. The text is one of two strings:
[SirCam_2rp_Ein_NoC_Rma_CuiTzeO_MicH_MeX]
or [SirCam Version 1.0 Copyright ¬ 2000 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico]

There is a 1 in 20 chance that on October 16th of any year, the worm will recursively delete all files and folders on the C drive:

This payload functions only on computers which use the date format D/M/Y (as opposed to M/D/Y or similar formats).

The worm contains its own SMTP server which is used for the email routine. It obtains email addresses through two different methods:
It searches the folder that is referred to by the registry key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup\Cache

for sho*., get*., hot*., *.htm files, and copies email addresses from there into the file %Windows%\sc??.dll (where ? is a random letter and number).

It searches the entire drive for *.wab (all Windows Address Books) and copies addresses from there.

It searches the folders referred to by the registry keys

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\Startup\Personal

and

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\Startup\Desktop

for files of type .doc, .xls, .zip, and .exe. If it finds a match, the corresponding file will be appended to the worm's original executable and this new file will be sent as the email attachment.

After 8000 executions, the worm will stop running

Repair

Download and run this bat file