Hi,
I was sent this file as an attachment. As I was viewing my mail online I managed to delete it directly off the Server. It was suposedly sent from the Banyan Tree Resort in Phuket, Thailand.

"File: memothai.doc.com (216805 bytes)
DL Time (50667 bps): < 1 minute"

The message text said.

"Hi! How are you?

I send you this file in order to have your advice

See you later. Thanks"

Has anyone else ever seen or heard about this?

Regards

Nodnerb2


I did take the precaution of deleting it after I had copied the header. It was the second extension that made me cautious. I have stayed at the Banyan Tree Resort and probably wouldn't have given it a thought but for the odd file name

[This message has been edited by nodnerb2 (edited 07-22-2001).]

i dont know but if it came as an attachment from someone you dont know it is probably a virus

i think you should delete that mail

its prolly a virus

or worse one of those horrible unsolicted html ads for Resort Property, Larger genitals, or Cute Indian Man Need American girl Sponser

That's the message body of the SirCam virus.

That is definetly a virus and you should delete it immediately.

IT'S THE SIRCAM VIRUS!!!

Here's the technical details from www.trend.com (http://www.trend.com) under Advisories button.


TROJ_SIRCAM.A
(continued from profile page)

In the wild: Yes
Trigger condition 1: Upon execution
Payload 1: Creates Files
Detected by pattern file#: 917
Detected by scan engine#: 5.170
Language:
English, Spanish
Platform: Windows
Encrypted: No
Size of virus: 137,216 Bytes

Details:
The worm arrives as an attachment to the following email:

Subject: (random subject line, with the same name as the attachment)
Message body: (The body could be either in Spanish or English)
Hi! How are you?

I send you this file in order to have your advice OR I hope you can help me with this file that I send OR I hope you like the file that I send you OR This is the file with the information that you ask for

See you later. Thanks

Attachment: (random filename, with the same name as the subject line) IN SPANISH:

Hola como estas ?

Te mando este archivo para que me des tu punto de vista OR Espero me puedas ayudar con el archivo que te mando OR Espero te guste este archivo que te mando OR Este es el archivo con la informacion que me pediste

Nos vemos pronto, gracias.

The attachment contains a copy of the worm merged with a randomly chosen file from the sender's computer.
Upon execution, this worm copies itself to a SCam32.EXE in the System directory. It then splits merged files in the attachment and drops these to a SIRC32.EXE file and a <Original filename of the merged file> in the C:\Recycled folder.

To execute every bootup, it creates the following registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\Driver32 = “C:\Windows\System\Scam32.exe”

It modifies the following registry entry:
HKEY_CLASSES_ROOT\exefile\shell\open\command = “”%1”%*”

to the following, to allow this Trojan to run whenever an .EXE file is executed:
HKEY_CLASSES_ROOT\exefile\shell\open\
command = “”C:\Recycled\SirC32.exe” ”%1”%*”

It also creates the following registry key, where it stores data:
HKEY_LOCAL_MACHINE\Software\SirCam

Phuket! GREAT place, ahhhhh... :-)

I received three of these today. Someone, somewhere out there likes me. I guess thats the downside of having the same email address for 4 years.

Well I'll be damned... I got an e-mail just the other day similar to that. The body was the same, but the filename is different (something.xls.bat or something similar), and it's supposedly from a "Victoria". Isn't it odd that Hotmail's virus scan shows it as being clean? I still didn't download it though.

My own policy: If I don't know who sent it I delete it.

Delete anything named "file.doc.anything"

It sure is the sircam virus. Exactly as it explained at www.symantec.com (http://www.symantec.com)

[This message has been edited by HfdWolfPack (edited 07-24-2001).]

Steve R Jones
It isn't that someone out there likes you. It's that your name and E-mail address is in Outlook Express Addressbook of an infected computer. When the user of this computer brings up Outlook Express and sends an E-mail to someone, The little virus has already taken stock of I think it is 23 E-mail addresses stored in that addressbook and is ready to send itself when the user hits send. For a brief second, and if you have the Outlookbar activated, you will see the Outbox flash (24) instead of (1). This means of course that your Outlook Express program just sent out 24 E-mails instead of just the one.

(The users probably like you as well, yes...)

Cheers!