Virus Advisory - W32.Sircam Last Updated 7/24/01

On 7/18/01, NAI reported a new virus W32.Sircam had been found in the wild.
The virus arrives as an email attachment to a message with:

Subject: random file name
Attachment: random file name

The body of the message includes the text:

Hi! How are you?
I send you this file in order to have your advice
See you later. Thanks

The message may also include the text:
I hope you can help me with this file that I send
or I hope you like the file that I send to you
or This is the file with the information that you ask for

When the attachment is executed the virus is saved to C:\RECYCLED\SirC32.exe. The virus also copies itself to C:\WINDOWS\SYSTEM\SCam32.exe. The virus gathers file names with the extensions .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG, .PS, and .ZIP from the infected machine saving them to the file SCD.DLL (the 2nd character of the name appears to be random) in the SYSTEM directory. The virus gathers email addresses from Outlook and temporary Internet cached pages storing them in SCD1.DLL (the 2nd and 3rd character of the name appears to be random) in the SYSTEM directory. Using the file names gathered in the SCD.DLL file the virus sends itself out to all addresses listed in the SCD1.DLL file adding .BAT, .COM, .EXE, .LNK, .PIF to the end of the attachment. The virus uses a built-in SMTP server to replicate.

For more information see:

• From NAI: http://vil.nai.com/vil/content/v_99141.htm

This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.