Virus/Worm Info You Should Check Out

[Laurel]

Within the last couple of days, I have received over 100 emails infected with the Sircam worm/virus. Some of these have come to my Literotica.com email address, which tells me that one or more of my Literotica friends must be infected with this little nasty. We use several virus program, which delete these messages as they are received, but I wanted to warn anyone who might not be as paranoid as we are.

The messages I keep getting say the following:

"Hi! How are you? I send you this file in order to have your advice See you later! Thanks"

They also have a random attachment which sets off my virus checkers like a cheap car alarm at 4 am.

You should check out the following links just to be safe:

Wired Article:
http://wired.com/news/technology/0,1282,45427,00.html

Removal tool:
http://www.f-secure.com/v-descs/sircam.shtml

Usually, I ignore these virus warnings because we have so much protection. However, because I have received a few of these addressed to my Literotica account, I felt it was worth warning everyone about.

Apparently, this virus-worm-thingie can grab email addresses from webpages that you have visited and it automatically sends files in your My Documents folder to any number of random email addresses it finds. This means that your private files could be sent to any email address in any website that you've visited in the last several days. I can imagine the people at support@yahoo.com getting inundated with rough drafts of erotic stories you've been working on - hehe. Actually, of course it's not funny, but the good news is that the virus can be easily blocked with the right software.

Remember, I'm paranoid - so feel free to ignore this if you're feeling lucky.

 

[Andra_Jenny]

Do ya feel lucky punk, do ya?

Go ahead and make my day!

 

[Laurel]

You talkin' ta me?

'Cause I'm the only one here...

 

[Todd]

thanks for the heads up

now respond to my pm woman

 

[Andra_Jenny]

You're under arrest!

I once knew a guy who had a bird who a bird who said that.
Yeah?
Yeah?

...

You dirty rat...

 

[Dillinger]

This one is the real thing... info is at http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html

I've included information in this post on how to remove the worm from your system(s)

SARC has upgraded the threat level of W32.Sircam.Worm@mm from 3 to 4, due to its increased rate of submissions.

W32.Sircam.Worm@mm contains its own SMTP engine, and propagates in a manner similar to the W32.Magistr.Worm.


Also Known As: W32/SirCam@mm, Backdoor.SirCam
Category: Worm
Damage: Medium
Distribution: High

Technical Description:
This worm arrives as an email message with the following content:

Subject: The subject of the email will be random, and will be the same as the file name of the attachment in the email.
Message: The message body will be semi-random, but will always contain one of the following two lines (either English or Spanish) as the first and last sentences of the message

Spanish Version:
First line: Hola como estas ?
Last line: Nos vemos pronto, gracias.

English Version:
First line: Hi! How are you?
Last line: See you later. Thanks

To Remove The Worm:

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
3. Delete any files detected as W32.Sircam.Worm@mm.]

To empty the Recycle Bin:
Right-click on the Recycle Bin and then click Empty Recycle Bin. You can also use Windows Explorer to delete the file C:\recycled\Sircam.sys if it is present.

To edit the Autoexec.bat file:
1. Click Start, and click Run.
2. Type the following, and then click OK.

edit c:\autoexec.bat

The MS-DOS Editor opens.

3. Remove the line "@win \recycled\sirc32.exe" if it is present.
4. Click File and then click Save.
5. Exit the MS-DOS Editor


To edit the registry:
The worm modifies the registry such that an infected file is executed every time that you to run a .exe file. Follow these instructions to fix this.

Copy Regedit.exe to Regedit.com:

1. Do one of the following, depending on which operating system you are running:
Windows 95/98 users: Click Start, point to Programs, and click MS-DOS Prompt.
Windows NT/2000 users:
1. Click Start, and click Run.
2. Click Browse, and browse to the \Winnt\system32 folder.
3. Double-click the Command.com file, and then click OK.
1. Type copy regedit.exe regedit.com and press Enter.
2. Type start regedit.com and press Enter.
3. Proceed to the section "To edit the registry and remove keys and changes made by the worm" only after you have accomplished the previous steps.

NOTE: This will open Registry Editor in front of the DOS window. After you finish editing the registry and have closed Registry Editor, close the DOS window.

To edit the registry and remove keys and changes made by the worm:

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry can result in permanent data loss or corrupted files. Please make sure you modify only the keys specified in this document. For more information about how to back up the registry, please read How to back up the Windows registry before proceeding with the following steps. If you are concerned that you cannot follow these steps correctly, then please do not proceed. Consult a computer technician for more information.

1. Navigate to and select the following key:

HKEY_CLASSES_ROOT\exefile\shell\open\command

CAUTION: The HKEY_CLASSES_ROOT key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with an .exe extension from running. Make sure you browse all the way along this path until you reach the \command subkey.
Do not modify the HKEY_CLASSES_ROOT\.exe key.
Do modify the HKEY_CLASSES_ROOT\exefile\shell\open\command subkey that is shown in the following figure:


<<=== NOTE: This is the key that you need to modify.


2. Double-click the (Default) value in the right pane.
3. Delete the current value data, and then type: "%1" %* (That is, type the following characters: quote-percent-one-quote-space-percent-asterisk.)

NOTE: The Registry Editor will automatically enclose the value within quotation marks. When you click OK, the (Default) value should look exactly like this: ""%1" %*"

4. Make sure you completely delete all value data in the command key prior to typing the correct data. If a space is left accidentally at the beginning of the entry, any attempt to run program files will result in the error message, "Windows cannot find .exe." or "Cannot locate C:\ <path and file name>."
5. Navigate to and select the following key:

HKEY_LOCAL_MACHINE\Software\SirCam

CAUTION: Make sure that you go all the way down to the SirCam key, and that it is selected. It will look similar to the following:



6. With the SirCam key selected, press Delete. This will delete the key and all of its subkeys. Since this key was created by the worm it can be safely deleted.
7. Navigate to and select the following key:

HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\CurrentVersion\RunServices

8. In the right pane, look for and select the value

Driver32.

9. Press Delete, and then click Yes to confirm.


Additional information:

Configure Windows for maximum protection
Because this virus spreads by using shared folders on networked computers, to ensure that the virus does not reinfect the computer after it has been removed, It is best to share with read-only access or using password protection. For instructions on how to do this, see your Windows documentation or the document How to configure shared Windows folders for maximum network protection.

 

[Andra_Jenny]

To the top for the weekenders.

 

[Cheyenne]

For us non-computer people- please answer this. If we get the email with the attachment, but don't OPEN the attachment and just delete the email, aren't we safe in not getting the worm?

 

[Adoratrice]

I got this in my mail and I was going to ask about it but then I just thought it was probably nothing...I didn't open it ...It had the name "Judy Betro" in the subject line and a mans name that I can't remember in the "from" the thing that struck me as odd is the 'irretrievable" notations in the to , from and received sections....oh shit ,wait I did open it but I didn't click the link!

shit , I'm such a ditz sometimes.

 

[Laurel]

For us non-computer people- please answer this. If we get the email with the attachment, but don't OPEN the attachment and just delete the email, aren't we safe in not getting the worm?

I believe that you have to open the attachment to get the worm/virus. Delete the email AND the attachment (if you use Eudora, you can set it to delete any attachments when the email is deleted). Delete them from your recycle bin. Then, go and get a version of McAffee or Norton if you don't have it already.

 

[Never]

You have to open an attachment to get a virus but a worm can be in a simple e-mail.

So, is this a worm? Or a virus? Or is it both?

 

[Laurel]

It's both. It replicates itself like a worm does, but it can cause massive damage, like a virus. That's why it's causing so much trouble.

 

[Never]

Ahhh.
Enlightenment.

 

[Laurel]

LOL. I don't know wtf I'm doing answering tech questions...scary!

All I can say is that I get like 5 of these thingies an hour. My virus program keeps popping up in front of my screen (there it goes again) to ask permission to delete em. Driving me batshit.

 

[Angel]

Weird. Did anyone see Ksss's MSN virus/worm thread?

I keep getting e-mails to both of my stormrealm mail accounts, from someone named brian something or other with a subject line about Bill Clinton/Monica Lewinsky, and an attatchment which sets off both of my Anti-Virus programs. I've been deleting them and I reported it to both Anti-Virus websites.
Am I getting some odd fucking cross-breed of both? LOL

 

[Ksss]

*bump* This seemed important to bring back to page one.

 

[Weird Harold]

*bump* This seemed important to bring back to page one.

What Ksss said.


This seems to be hitting a lot of Literotica.org addresses.

 

[Ksss]

I just received on of these on a confirmation for an American greetings card *sigh*

 

[curvacious]

So if I stupidly opened a "@literotica.org" email that had the stupid thing but did nothing else except delete the message, is my computer ok? I didn't even look to see if there was an attachtment, I just hit delete when I saw that first line.

 

[The_old_man]

bump

 

[GuyJD]

Thank goodness I keep a Trojan latex cover on my computer.

 

[cymbidia]

Sircam hits the FBI cyber-protection unit:
http://www.zdnet.com/zdfeeds/msncobrand/news/0,13622,2798011,-hud00025nshm3,00.html


If *they're* not safe, then none of us are safe!