Nasty virus attack -- Look out

Discussion in 'Credit Talk' started by bbauer, Jul 21, 2001.

  1. bbauer

    bbauer Banned

    A new and very nasty virus called the "Sircam.exe" virus was launched upon us on July 17th.

    It is circulated by email with various subject and sender lines.

    In one of them, the subject line will say "help" and another one comes from a supposed company called "dmconsulting"

    The virus can best be detected by the fact that when you open the email, no actual message is apparent, but there are two attachments. You click on the first attachment and some message will pop up which prompts you to click on the second which is the actual virus.

    You can detect it by checking your autoexec.bat file in the root directory of your C:\ drive. The autoexec.bat file will have the line or multiple lines which say
    C:\Sirc32.exe

    That is the line(s) which activates the virus each time you boot up. It runs as a service and infects your registry too.

    You will also see the Sirc32.exe file listed in your c:\recycled\ directory.

    The easy way to kill this virus is to go to the Norton website and download a special tool they have which kills all the virus and cleans your registry all automatically.

    Lots of folks rely on McAfee for their virus protection. I would not do that. McAfee has always been a pretty weak sister compared to Norton in my opinion and McAfee did not detect this virus either. It took Norton to find and kill it.

    Most of you would not have the problems we had killing off the virus because you are not working with large server farms full of high capacity hard drives. In my case, we had to shut down all the computers and isolate them from the network and then turn the Norton tool loose on all of the computers at the same time.(as much as possible.)

    Since it works as a service, it spreads itself throughout the network very rapidly.

    It didn't actually ruin any programs or files, but it is a lot like the old Michael Angelo virus in that it activates on the 16th of October(again) and then it will wipe out everything on the system(s). Michael Angelo activated on the birthday of Michael Angelo which was some time in the spring.

    So be careful with this one. It's likely to take a good 24 hours total time to get this one killed off completely, but all the main systems are up and running now.
     
  2. tony123

    tony123 Well-Known Member

    thanks bill for the info
     
  3. bbauer

    bbauer Banned

    Here is another virus email I got this morning

    Subject:
    JH-House documents to Tim Hilborn
    Date:
    Sat, 21 Jul 2001 12:20:02 -0400
    From:
    "Richard Herfurth"<richardh55@home.com>
    To:
    bbauer1@netzero.net

    Part 1.1

    Type:
    Plain Text (text/plain)
    Encoding:
    quoted-printable

    JH-House documents to Tim Hilborn.doc.pif

    Name:
    JH-House documents to Tim Hilborn.doc.pif
    Type:
    Shortcut to MS-DOS Program
    (application/x-unknown-content-type-pif file)
    Encoding: base64

    Notice how the programs have the double dots in them as in
    (dot)doc(dot)pif

    Anything that has the two dots in the file name, don't open, delete quickly. Hold down the shift key and then hit the delete key.
     
  4. Surphie

    Surphie Well-Known Member

    Thanks Bill,

    I've got 16 of those emails already and I've got the McAfee alert email message (I subscribe to their virus alerts mailing list - I currently have Norton AntiVirus installed on my puter though)

    I just deleted the emails, and in my case the infected email came from addresses that I didn't recognize.




    **VIRUS ALERT - W32/SirCam@MM (Sir Cam Virus)**
    ------------------------------------------------------------

    [This message is brought to you as a subscriber to the
    McAfee.com Dispatch. To unsubscribe, please follow the
    instructions at the bottom of the page.]


    McAfee.com has seen a large and growing number of consumer
    computers infected with W32/SirCam@MM. This is a HIGH RISK
    VIRUS FOR CONSUMERS. The infected email can come from
    addresses that you recognize. Attached is a file with two
    different extensions. The file name itself varies.

    The email message can appear as follows:

    Subject: [filename (random)]
    Body: [content varies]


    Hi! How are you?
    I send you this file in order to have your advice
    or I hope you can help me with this file that I send
    or I hope you like the file that I sendo you
    or This is the file with the information that you ask for
    See you later. Thanks

    --- the same message may be received in Spanish ---

    Hola como estas ?
    Te mando este archivo para que me des tu punto de vista
    or Espero me puedas ayudar con el archivo que te mando
    or Espero te guste este archivo que te mando
    or Este es el archivo con la información que me pediste
    Nos vemos pronto, gracias.

    The virus searches for .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG,
    .PDF, .PNG, .PS, and .ZIP files in the MY DOCUMENTS folder
    and attempts to send copies of these documents to email
    recipients found in the Windows Address Book and addresses
    found in cached files.

    For detection and removal instructions for the Sir Cam Virus,
    click here.
    -> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=2371
     
  5. bbauer

    bbauer Banned

    I think the right thing to do would be to send an email to the party who sent it to you telling them they are infected with the virus.

    I just sent one to richardh55@home.com
    who sent the last one to me.

    The reason I am going to do this is that many people who are infected and sending out emails to whomever may well not know they are infected since the virus looks for other people to send the virus to unknown to the person it infects and thereby spreading the virus around the world. If everybody that's infected would send out such an email then the virus might be more easily stopped.
     
  6. Cindy

    Cindy Well-Known Member

Share This Page