The SirCam virus

[madfish]

sounds like a nasty little critter, ya all should read this

[SysOpt]

Indeed so.. In the last three days, I've received about 50 emails from two or three people with their 'my documents' files as attachments.

[socalgal]

Yep, just received a couple myself this morning.

UPDATE YOUR AV, people!

Info on SirCam at Symantec



[This message has been edited by socalgal (edited 07-24-2001).]

[Mntsnow]

Yep...started receiving it to late last night. Office XP's Outlook blocked the bug though .

Yes People this is real...Update your protection now!

[jansson_markus]

Or... Use your brains and DO NOT open attachments unless you have a VERY good reason to believe that its safe.

Again, this virus would NOT spread if there where no idiots opening the attachments...

OR, how about installing that ZoneAlarm...how about it?

Markus

[This message has been edited by jansson_markus (edited 07-22-2001).]

[socalgal]

Just an FYI:

ZoneAlarmPro's email quarantine feature (not sure if the free ver has email quarantine) will not quarantine an email attachment with the .zlx (.doc.zl0, .zl3, etc.) attachment (IF it's a .zlx extension) by default unless you add it to the quarantine list.

ZoneAlarm/Pro a soft firewall, not a virus or trojan detector.

Edit: Here's more info; file extensions can be COM, EXE, PIC, LNK and this worm contains it's own SMTP email engine.

http://www.theregister.co.uk/content/56/20553.html


[This message has been edited by socalgal (edited 07-23-2001).]

[jansson_markus]

Ofcourse ZoneAlarm doesnt work as good AV program. But in this case, using a ZoneAlarm prevents this virus/worm from spreading since it uses its own emailing system to spread. Not to mention that smart way of reading email or doing anything with firewall is that once you have done what you are about to do, you disallow that program to access internet. If you downloaded email messages, then disallowed OE or similiar to go to net, and then read your email, you are safe against worms that use OE for spreading.

[SysOpt]

ZA may keep it from spreading, but it won't keep it from deleting data from a hard drive. Of course the #1 prevention is to not open unfamiliar attachments, but #2 is to have good up to date antivirus software.

[smoss62]

Just had my first experience with SirCam Virus at tech shop. It wouldnt let any app's run, error SirC32.exe could not be found. I used the manual delete process on the Symantec site and everything seems to be running fine now. Will conitnue more testing today and let ya'all know how it goes.

Smoss62

[WinOS2Mac]

My Mothers computer at work just was infected by this virus. The funny thing is that It deleted every file on her C drive but Its not October 16th yet? I read on Symantecs web site that it onlly deletes files on October 16th.

Anyway, All her files are gone, and when i start the computer It doesn't even recognize the hard disk. It says "Invalid Disk".

So I am currently running Powerquest Lost and Found to recover the files. My question is If The virus deleted everything on the C drive then did it delete itself? I mean If i reinstall windows will the virsu still be there.

Also, I am recovering all of the deleted files to a separate hard drive via Lost and Found, so will the destination drive be infected afterward?

And I also had some shared drives on the 2 computers that were networked. so is the other computer infected?

you can email me at winmzcos@hotmail.com

[washe]

We got that virus last friday, I was away off the office for that day, and some fool oppened an attachment at the office, when I checked my personal email, I saw a mail from myself with my work address, and also I got like 5 emails from another people with attachments almost the same size, when I got to the office this morning I saw on my work inbox like 50 returned mails from people that knew and I dont know, all of them sent on friday. Also 6 machines that had shared access got virused badly, two guys formatted their machines, My machine was very unusuable I couldnt use exe extension files, a lot of errors, I removed the virus manually and also I switched to Norton Antivirus and scanned the machine like 3 times, and then I enabled the email protection and all is good now. But that **** virus gave me a headeache for a while.
The funny thing It got worse than Melissa virus at least for me.

[jray]

I've had two calls to remove this nasty bugger so far. Quite sneaky this one; after downloading and running the fix from Norton, I checked the setup for the installed NAV, the virus had actually put itself in the list of excluded files! Also with WinME it likes to infect the _RESTORE folder, which cannot be cleaned or quaranteened, even from safe mode. I had to restart to command prompt with a 98 boot disk, remove attributes of folder, rename it, reboot, scan the new folder, delete infected files, reboot with 98, rename cleaned folder back to _RESTORE, reboot, rescan, and finally rid the system of the virus. Quite nasty....

[nodnerb2]

I have been sent this one twice in 3 days. It has come fromt he same source bopth times but with a different "sender" and a different title to the attachment. The second one was slightly larger than the first. The first time I deleted it without downloading it. The second time I was going to sent it to Symantec for confirmation of what it was but it was identified by NAV as it was being downloaded. I guess it does pay to keep ya Virus defs up to date.

Nodnerb2

[JohnC]

Trend Micro (PC-Cillin/OfficeScan95) has done an excellent job of stopping this critter in its tracks! We received two hits on Monday morning and their Scanmail killed it in the mail queue before it hit any clients.

Trend also has a nice write-up on how this thing works. Check out www.trend.com and click on the Advisories button.

[DaHazeMan]

I'm with JohnC - PC-Cillin stopped it before it affected my computer. I emailed everyone in my address book anyway to warn them. This is before all the write-ups were available online.

I got this one at work as well - it seems it hides itself in the Recycle Bin on Win98 machines. And it adds a line to the autoexec.bat file. The problem (from its end) is that we have all the computers set to delete all history and deleted files when the user logs off - preventing it from being there when you or the next person logs in. It seems that it kept adding a new identical line to the autoexec.bat file every time we shut down - corrupted the rundll32.exe file as well.

We booted to a DOS prompt, removed the lines in the autoexec.bat file, re-extracted rundll32.exe from the cabinet file and all was good.

But at home my PC-Cillin did the trick by not letting it in!