SirCam as a computer virus has an unprecedented number of features. It is a true threat to computer systems everywhere, and carries a destructive payload. It can be difficult to detect, and to remove. SirCam is truly dangerous.
   New virus programs have built on the technologies originally used in SirCam. It is expected that the future of computing will continue to include frequent struggles against SirCam variants.
  Technically, SirCam is a "Worm", not a virus. We will use the two terms interchangeably here. "Virus" is a global concept for rogue software and simpler to discuss.

7/27/01
   The SirCam virus has been in the news, lately. It has also been showing up in the SoftProse Email Inbox, as we get messages from people infected with the virus. (AKA: SirCam Worm, W32.SirCam...)
PLEASE BE AWARE that this can be a very destructive virus, and can be very difficult to remove from a system. This virus poses a challenge to all computer users.
THIS IS NOT AN OUTLOOK-ONLY PROBLEM. Any computer user can get this virus. Any computer user can infect other systems. It does NOT require the Internet for transmission, and can use a local computer network.
This is the most complex and significant virus that we have ever seen in its capability to transmit and cause harm.

Below lists aspects of SirCam that make it particularly awful:
1) It will copy itself on a standard computer network using Shared Drives on Windows computers. This is a new and sinister development in viruses. You do not have to open an attachment, or be running Outlook. The virus can infect your machine from the computer network. THIS IS A SERIOUS PROBLEM. One infection will mean that ALL computers in an office can be infected. The virus uses a mechanism in Windows to create an Autoexec file on network shares. When those shares are opened, the virus is loaded into the computer that opened the share.
From http://antivirus.about.com/library/weekly/aa072301a.htm
Sircam... ...first enumerates all the network shares available to the infected computer. If there is a writable \recycled\ folder on a share, a copy of the worm is put to \\[share]\recycled\' folder as 'SirCam32.exe' file. The \\[share]\autexec.bat file is appended with an extra line: '@win \recycled\SirC32.exe', so the next time an infected computer is rebooted the worm will be started. The worm also copies the 'rundll32.exe' file to 'run32.exe' and then copies itself as 'rundll32.exe' file to the Windows directory of a remote system.

2) The program does NOT NEED a copy of Outlook, and the Outlook address book, although it will use one if it is found or available. This virus will SCAN cached Email addresses, such as web pages, on your system for ANY stored Email address. (Such as a text string with an @ sign in it?) It will then use this to MAKE ITS OWN ADDRESS BOOK for distributing itself.

3) This is one clever virus. It even contains it's own SMTP server (it's own Email program), so it does not need your Email account. Once it has an address list , it can send itself from your machine without using your Email system. (Similar to the W32.Magistr.Worm)

4) Improper removal can cause an inability to launch any .EXE (including program files) on your system.

5) On October 16th, in one out of twenty cases, it will delete the contents of the local drive on which Windows is installed.

6) In one out of fifty cases, on ANY day of the year, the SirCam virus will create a file in the hidden \Recycled\ folder named sircam.sys and repeatedly append test strings in that file until the hard drive space is filled to capacity.

7) The program uses any document in the My Documents folder as a "cover letter" when sending itself out. This may compromise personal information.

8) The programmer made a mistake, and the virus cannot replicate itself on Windows NT or Windows 2000 systems. However... This circumstance may not last forever. Windows NT and Win2K users should still be careful.

Outlook Users, Please Note:
Note that all versions of Outlook below Outlook 2000 SR-1 (and EVERY Outlook version before this) is NOT SECURE and should NOT BE USED if you have any other choice. Outlook 2000 SR-1 update introduced important security patches to Outlook, forcing confirmation for any access to the Address book. However, this may interfere with some outside software that may be designed to make use of the Outlook Address book, so this additional protection may be turned off on some systems. If in doubt, check your security settings to confirm that the address book is protected.

WHAT CAN YOU DO?
A) KNOWLEDGE. Make certain your associates are AWARE of this virus, it's characteristics, and the nature of the problem, and DO NOT RUN any attachments without absolutely being certain that they are safe. Knowledge is the best defence.

B) PROTECTIVE SOFTWARE. Run and keep current (UPDATE IT TODAY) anti-virus software on each machine. This includes McAfee, Norton Anti-Virus, and InnoculateIT. SoftProse Technology, Inc. suggests CA's InnoculateIT as the most cost-effective solution for whole-office protection. 25-user antivirus systems start at about $700 for the software; we offer installed solutions in a separate proposal. McAfee also has server-type systems for office defence. Norton Anti-Virus (NAV) is popular, and will work, but has performance problems. NAV interferes with system operations and some software; we don't care for the product. There are also a number of quality shareware solutions that may serve.

C) FIX THE PROBLEM. If you think you are infected, DISCONNECT your computer from the office network until you can run an appropriate repair tool, and TELL the office administration about the problem so they can be prepared. Reconnecting to the network afterwards may only re-infect your machine without current anti-virus software installed. This virus can run unchecked through many office network systems.

McAfee.com offers an on-line virus search and removal tool that will clean all viruses from an infected system.
Norton Anti-Virus offers a free tool, "fixsirc.exe", which will do an effective job of detecting and eliminating (only) the SirCam virus.
NOTE: The Fixsirc.exe tool appears to have a minor flaw when removing the SirCam virus. The virus will place an instruction to run the Virus on computer startup in the AUTOEXEC.BAT file, located at C:\AUTOEXEC.BAT. FixSirc.exe may not remove this instruction. The Autoexec.bat file can be right-clicked, and EDIT selected. Look for the mention of "/recycled/sircam.exe" or a similar string, and delete it back to the semi-colon. The Fixsirc.exe tool WILL eliminate the virus. The virus is GONE after the tool is run. However, leaving this reference in the Autoexec.bat will cause the computer to give a message about "unable to find /recycled/sircam.exe" every time the computer is restarted. This can quickly get annoying, along with causing anxiety.

Symptoms of SirCam are as follows:
You may receive an Email message with an EXE or COM file as an attachment.
The attachment may be created from an actual file from the My Document's folder of a victim's computer.
From the McAfee Anti-Virus Center, they write:
The email message can appear as follows:
Subject: [filename (random)]
Body: Hi! How are you?
I send you this file in order to have your advice
or I hope you can help me with this file that I send
or I hope you like the file that I sendo you
or This is the file with the information that you ask for
See you later. Thanks
          (There are also Spanish versions, if your computer's language is set.)

Using MSCONFIG to detect the virus on Windows 9x Computers:
   Go to the Start Menu, and open it. Find and select RUN.
   In the Open field, type "MSCONFIG", and press Return.
   MSCONFIG will open. Select the last tab, "Startup"
   Look through this list. If you see an item labeled
   "Sirc.exe" or "sircam.exe", REMOVE the check box next to it.
   If you made any changes here, say OK and exit. Reboot.
   (Note: This will NOT solve the problem, or stop your infection.)
   You are infected- Use either the "Fixsirc.exe" tool suggested here,
   or current anti-virus software to remove the SirCam virus.

Last Modified on: 8/5/2001

Virus Defenses  Anti-Virus Proposal  Virus Alert  Virus Hoax?  Spyware & Adware  Phishing- Email Con

Virus Defenses  Anti-Virus Proposal  Virus Alert  Virus Hoax?  Spyware & Adware  Phishing- Email Con

Virus Defenses  Anti-Virus Proposal  Virus Alert  Virus Hoax?  Spyware & Adware  Phishing- Email Con

Virus Defenses  Anti-Virus Proposal  Virus Alert  Virus Hoax?  Spyware & Adware  Phishing- Email Con

Virus Defenses  Anti-Virus Proposal  Virus Alert  Virus Hoax?  Spyware & Adware  Phishing- Email Con

Virus Defenses  Anti-Virus Proposal  Virus Alert  Virus Hoax?  Spyware & Adware  Phishing- Email Con