Virus Alert: W32/SirCam@MM
By
Mike Tomkins
(Thursday, July 26, 2001 - 10:13 EDT)
Emails flood into IR infected with a common virus...
We've been literally bombarded here at the Imaging Resource over the last few days with emails symptomatic of the W32/SirCam@MM virus, which seems to be about the most common virus around at the moment. To do our bit to try and help stem the tide, we thought we'd remind readers that you should run antivirus software on all your computers, and ensure that the latest updates for the software are installed.
There are also a few simple tips you can follow to avoid viruses - don't open attachments without first scanning them for viruses if: - You don't know the person who sent you the attachment.
- The text of the email seems suspicious.
- The email is from somebody you know, but you weren't expecting to receive an attachment from them.
As regards this particular outbreak, there are two ways to recognize emails symptomatic of W32/SirCam@MM. The subject line will be random, but based on the name of the file which is attached to the email. The text of the message will start with either "Hi! How are you?", or "Hola como estas ?". This will then be followed with one of the following lines: - I send you this file in order to have your advice
- I hope you can help me with this file that I send
- I hope you like the file that I sendo you
- This is the file with the information that you ask for
- mando este archivo para que me des tu punto de vista
- Espero me puedas ayudar con el archivo que te mando
- Espero te guste este archivo que te mando
- Este es el archivo con la informaci�n que me pediste
Finally, the email will conclude with either "See you later. Thanks", or "Nos vemos pronto, gracias.". The email will always include an attachment, which when clicked on will infect the recipient's PC with W32/SirCam@MM. The attachment will usually (but not always) have a double extension, such as for example .doc.pif, or .xls.bat - a curious behaviour which presumably the virus' creator hoped would trick people into opening the file, since on many PCs the second extension is automatically hidden and the file will appear to be a normal document. (Note that even documents such as .doc and .xls files can be infected with macro viruses, though, and all files should be scanned for viruses!)
Once infected, your PC will search for .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG, .PS, and .ZIP files in the My Documents folder, and will send copies of these files to email addresses in your Windows Address Book, and in cached files on your PC. A registry key is also created to automatically load the virus every time an executable file is started.
More details and full instructions on how to remove W32/SirCam@MM from your computer if you have been infected can be found at:
|