| Description:
|
Details
I-Worm.Sircam
This is a dangerous worm that spreads via the Internet and local network. The worm itself is a Windows application written in Delphi about 130K in size. While spreading, the worm may append to its file an additional DOC, XLS, ZIP and other files (see below), so the attached file length can be more than 130K.
Upon being executed (by clicking on the attached file for instance), it installs itself into the system, then sends infected messages (with its attached copy), infects local network computers (if there are drives shared for full access), and depending on system date, runs its payload routine.
E-mail Spreading
The worm sends itself from infected machines as an attached file with a variable name and double extension:
filename.ext1.ext2
where "ext1" can be one of the following variants: DOC, XLS, ZIP, or EXE.
The worm from the following variants randomly selects the "ext2" extension: PIF, LNK, BAT, COM. For example:
feb01.xls.pif
normas.doc.bat
The "filename.ext1" comes from the original files that are located on an infected machine. The worm looks for a "ext1" file on a machine and obtains its name as an attach name. The worm then obtains the file contents and appends them to itself, and sends the result. So the infected files that are sent out of an infected machine contain two parts: 1: the worm's EXE code; 2: appended extra data that are a randomly selected DOC/XLS/ZIP/EXE file from an infected machine. This appended file is then used by the worm to disguise its activity (see below).
As a side effect such an "appended file" spreading method may cause confidential info disclosure.
The worm message Subject is "filename" as above (exactly the "filename" of the attached file).
The Body can be in two languages: English and Spanish. The first and last lines of the message body are always the same:
first line:Hi! How are you?Hola como estas ?
last line:See you later. ThanksNos vemos pronto, gracias.
The variants of text between these lines are:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I send to you
This is the file with the information that you ask for
Te mando este archivo para que me des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es el archivo con la información que me pediste
The worm obtains a victim's e-mail addresses by scanning files that may contain them: SHO*, GET*, HOT*, *.HTM, *WAB, and some others. The result of the search is then stored by the worm in fake DLL files in a system directory:
SCD.DLL file contains list of "ext1" files
SCH1.DLL, SCI1.DLL files contain a list of e-mail addresses located in scanned files.
There can also be SCT1.DLL and SCY1.DLL files found in a system directory, the worm stores additional data there.
To send infected messages the worm connects to a SMTP server. The name of SMTP server the worm gets from default system settings. If the worm fails to get default server, it tries following ones:
dobleclick.com.mx
enlace.net
goeke.net
Installation to System
The worm copies itself to:
RECYCLED directory on a Windows drive with the SirC32.exe name, for example:
C:WINDOWSC:RECYCLEDSirC32.exe
Windows system directory with the SCam32.exe name.
Windows directory with the ScMx32.exe name.
Windows start-up directory with the "Microsoft Internet Office.exe" name.
Note that not all these steps are performed by the worm upon the first start-up - some of the files are created there depending on different conditions.
The attributes of all these files are then set to "Hidden".
Two first files then are registered in the system-registry auto-run keys:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
Driver32 = %windows system directory%SCam32.exe
HKCRexefileshellopencommand
SirC32.exe
The worm then extracts an appended "decoy" file (see above) to the Windows TEMP directory, with the "decoy" file having the "filename.ext1" name. The worm then opens this file with WINWORD.EXE or WORDPAD.EXE, EXCEL.EXE, WINZIP.EXE depending on "ext1".
The worm also creates additional registry keys and stores its internal data in here, with the name of the key being HKLMSOFTWARESirCam.
Network Spreading
To spread over a local network, the worm enumerates all network resources (obtains all shared directories on remote machines), and then copies itself to here. If there is a "recycled" directory in the victim's shared directory, the worm copies itself to this directory with the SirC32.exe name:
recycledSirC32.exe
The worm then appends to the end of the AUTOEXEC.BAT file the following command:
@win recycledSirC32.exe
If there is a "Windows" directory, the worm renames the RUNDLL32.EXE file to the RUN32.EXE name, and then overwrites the original RUNDLL32.EXE with its own copy.
The worm then sets hidden attributes to its copies.
Payload
Depending on the system date and time, the worm in one case out of 20, randomly deletes all files in all directories on drive where Windows is installed, and removes all directories in there as well.
Upon each start-up in one case out of 50, the worm randomly creates a SirCam.Sys file in the root of the current drive and writes one of following texts there:
[SirCam_2rP_Ein_NoC_Rma_CuiTzeO_MicH_MeX]
[SirCam Version 1.0 Copyright L 2001 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico]
It appears to be that the worm writes these texts many times to fill free disk space.
These strings (as well as most of the other text stings) are encrypted in the worm's body.
Fortunately, there is a mistake in virus code and these routines are not executed in this way. However the first routine (erasing files on Windows drive) is executed in case worm's copies SIRC32.EXE, SCAM32.EXE, RUNDLL32.EXE are renamed to any else name and run. |
