Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Sircam

 
Threat LevelHigh threat
DamageSevere
DistributionNot widespread

Effects

Sircam activates whenever a file with an EXE extension   is run, until it has performed this operation 8000 times. Once activated, it has the following effects:

  • It steals personal data on infected users, such as the e-mail address and the address of the SMTP server from which the infected message was sent.
  • It deletes folders from the hard disk.

    This only happens when the copy of the worm that is running contains the text string
    F2 and is followed by another text other than SC.
  • It uses up all the free space on the hard disk.

    In order to do this it creates a file called
    SIRCAM.SYS and writes text inside it until it uses all the hard disk space. This happens 1 in every 50 times that Sircam carries out it effects.
  • In some cases, Sircam does not allow files with an EXE extension to be run.

Infection strategy 

In order to carry out its infection, Sircam creates the following files:

  • SIRCAM.SYS in the Recycle Bin. Sircam writes text inside this file until it uses all the hard disk space.
  • SIRC32.EXE is a copy of Sircam, which is located in the Recycle Bin.
  • SCAM32.EXE is a copy of Sircam, which is placed in the Windows System directory.

    It contains data after the text string
    FA. For more information on this data, click here.
  • SCD.DLL is hidden and contains a list of the files in the C:\My documents folder.
  • SCx1.DLL contains a list of address to which the virus will send itself. The x character represents one of the following letters: Y, H, I and T. Therefore, the file name would be: SCY1.DLL, SCH1.DLL, SCI1.DLL or  SCT1.DLL.
  • Sircam also creates a file with the same name as the file attached to the e-mail message. This file is placed in the Recycle Bin and has only one extension.

In order to ensure that it activates and carries out its infection, Sircam modifies the following entries in the Windows Registry:

  • HKEY_CLASSES_ROOT\ exefile\ shell\ open\ command\ Default,
    "C:\ recycled\ SirC32.exe" "%1" %*
    This allows the virus to be activated whenever a file with an EXE extension is run.
  • HKEY_LOCAL_MACHINE\ Software\ Mocrosoft\ Windows\ CurrentVersion\ RunServices\
    Drivers32= c:\ windows\ system\ Scam32.exe
    Through this modification the virus can be run later on.
  • HKEY_LOCAL_MACHINE\Software\Sircam
    Sircam uses this entry to save data.

For more information on the values it adds to this entry and their functions, click here.

Means of transmission 

Sircam spreads via e-mail and networks with Windows NT workstations, in the following way:

Infection carried out via e-mail follows this routine:

  • It reaches computers hidden in an e-mail message with the following characteristics:
  • Message:

    The first line is:

    Hi! how are you ?
    This line is followed by the text:

    I send you this file in order to have your advice

    I hope you can help me with this file that I send

    I hope you like the file that I sendo you

    This is the file with the information that you ask for
    And the last line is:

    See you later. Thanks.
    It includes an attachment.
  • If the file attached to the message is run, Sircam infects a file in the victim computer by copying itself to the beginning of it.
  • It adds a second extension to the infected file (such as VBS or JPG).
  • It spread automatically by sending the file that it has just infected to all the contacts in the Address Book.

    It also looks for other e-mail addresses in files that meet any of the following requirements:

    Its name starts with “SHO” (
    sho*.). The addresses it finds are stored in the file SCY1.DLL.

    Its name starts with “GET” (get*.). The addresses it finds are stored in the file SCH1.DLL.

    Its name starts with “HOT” (hot*.). The addresses it finds are stored in the file SCH1.DLL.

    Web pages with an HTM  extension. The addresses it finds are stored in the files SCI1.DLL and SCT.DLL.

    Word documents with a
    DOC extension.  The addresses it finds are stored in the file SCD.DLL.

    Excel spreadsheet with an extension. The addresses it finds are stored in the file SCD.DLL.

    Compressed  files in WinZip with a ZIP extension. The addresses it finds are stored in the file SCD.DLL.

    Address books with a WAB extension. The addresses it finds are stored in the file SCW.DLL.

Infection carried out via networks with Windows NT workstations follows this routine:

  • Sircam finds the mapped network disk drives on the infected computer.
  • It looks for the communication ports available in the mapped drives it has found. Its objective is to spread through the network by sending itself through each of these ports.
  • It scans the \Recycled and \Windows directories and the \Windows\Run32.exe and \ Windows\ Rundll32.exe files in the mapped drives it has found.

    If it does not find these files, it does not infect these mapped drives.

    If it finds the \Recycled directory, it copies the file SIRC32.EXE in it and inserts the line @win \recycled\SirC32.exe in the AUTOEXEC.BAT file. By doing this it will infect the computer the next time it is started up.

    If it finds the \Windows\system directory, it copies the file SCAM32.EXE to it and runs it.
  • It infects the RUNDLL32.EXE system file.
  • It looks for Word documents with a DOC extension in the \MY DOCUMENTS directory. If it finds them, it saves them in the file SCD.DLL in order to send itself to them.

Further Details  

  • The code corresponding to the source program of Sircam contains the following copyright text, which indicates the possible origin of the worm:

    SirCam_2rP_Eim_NoC_Rma_CniTzeO_MicH_MeX]

    [SirCam Version 1.0 Copyright. 2001 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico]
  • Each file it creates in the infected computer (copies of itself) contains data that Sircam uses to achieve its goals. This data provides information to Sircam and is stored in files in the following way:

    The string
     SC is added to the string FA2, resulting in: FA2sc.

    The e-mail address of the user that has sent the infected message is added to the string FA5. For example: FA5travel@maui.net.

    To the FA8 string, it adds a number that represents the offset of the file that Sircam has included after the worm. For example FA8123456 indicates that the offset of the file is 123,456 bytes.

    In the case of the
    SIRC32.EXE file (copy of the worm), there are only eight blank spaces after the FA8 string.

    To the
    FA9 string, it adds the name of the SMTP server that corresponds to the user that has sent the infected message. For example: FA9smtp.maui.net.