Virus Alert

[MartinLiss]

The text below is from my company's internal web site. I'm posting here because I think that those of us who try to provide help might think that the email was legitimate.

There is a new mass mailer virus, W32/SirCam@MM, which should be regarded as high risk. The relevant email message can be identified by:
* The "Subject" of this virus varies.
* The body of the message also varies and may include:
Hi! How are you?
and I send you this file in order to have your advice
or I hope you can help me with this file that I send
or I hope you like the file that I send you
or This is the file with the information that you ask for
and See you later. Thanks.
* Alternatively the body of the message may be received in Spanish
and may include: Hola como estas?
and Te mando este archivo para que me des tu punto de vista
or Espero me puedas ayudar con el archivo que te mando
or Espero te guste este archivo que te mando
or Este es el archivo con la informacion que me pediste
and Nos vemos pronto, gracias.

[parksie]

I was caught by this one, although the sender's mail server cleaned it up so I missed the virus. Is it another VBS worm?

[MartinLiss]

I don't know. My company's web site did not provide the details.

[crptcblade]

I got 3 today. It is a PIF file, and if you float the mouse over the file icon in WinME it says "This file executes text based command-line ..." so I guess it is like a compiled batch file.

[Kaverin]

I've not seen that particular one (or heard of it), but I have gotten a few emails from people asking VB questions, which strikes me as odd. It's never happened before. They're legit as far as I can tell though, but most of them definitely don't speak English as their first language. I just ignore most of them because I can't even make sense of them .

[Matthew Gates]

I keep getting sent this *****. People keep sending me files with..well, here's one I received today. I didn't even bother opening it, as it has "com" as an extension.

From :
"John Lovelace"<[email protected]>

To :
[email protected]

Subject :
SciProj6

Date :
Sun, 22 Jul 2001 21:06:46 -0400

Attachment : SciProj6.doc.com (207k)



Hi! How are you?

I send you this file in order to have your advice

See you later. Thanks

Also got sent it the other day, but the user's Firewall said it had deleted it. Weird thing is, when I sent the person an email (cursing them off), the email address didn't exist.

[parksie]

I got one from John Lovelace as well

Firstly, ZoneAlarm wrapped the attachment in a .zlo wrapper to save it being accidentally executed, then AVG decided it was a virus (I bow down to automatic updates ) and locked it away.

[Kaverin]

I'm getting this feeling it's a luser from in here . Probably some punk kid heh heh. But that's the conclusion I reach knowing that it's hitting people in here, and all we have in common is that we are in here, and our emails are easily available. But it could be random. That's how this kind of junk works isn't it? As long as something blocks it, I'm happy.

[plenderj]

I have dealt with this virus a number of times over the past few days.

One receives an email from someone you know, with an attachment. So, because you know the person you open the attachment.
This will execute the virus ; which would not be caught by the latest virus DAT files at the time of release of the virus.
It will also show you the personal/private/confidential document you were sent.

The virus will replace your rundll.exe and rundll32.exe files with hidden viral copies. It will also put a hidden scam32.exe file into your c:\windows\system directory.
It will also put a hidden sirc32.exe into the \recycled\ folder.

The virus will then try to infect other systems through windows sharing over the network. It will append a line like this :
@win \recycled\sirc32.exe
to the autoexec.bat file of any systems it can.

The virus will also make 2 important registry changes.
hkey_local_machine\software\windows\currentversion\runservices. It will add an item called "Driver32" here which runs the \windows\system\scam32.exe file.
It will also edit hkey_classes_root\exefile\shell\open\command, and change "%1" %* (or something like that) to \recycled\sirc32.exe ....
This means that everytime you want to run a program, it runs the virus instead.

So far I've received minutes from directors mettings, plans, quotations.... all this other stuff I should not have received through email.

Its a nasty bugger, but very easy to remove.

[MidgetsBro]

I was checking my email and watching TechTV at the same time... When Leo, on The Screen Savers started talking about the virus, I got the email. It was a rather strange coincidence. I knew not to open it, so I just deleted it. It wouldn't really matter to me since I have nothing in my addressbook, and my computer has nothing of good use on it. It's about time for a reformat... maybe after vacation

[Kaverin]

I remember seeing something on there about this too MidgetsBro. We recently got digital cable, so I watch TechTV all the time.

I don't know the lamer that sent this though. None of my friends even send me emails, much less try to give me attachments heh heh. We always talk over IM or face to face. I'm on the lookout now though.

[MidgetsBro]

TechTV kicks ass, but my parents hate it! They say that it won't help them learn anything, then (if it's my mom) turn it on the Lifetime Movie Network (ugh! 2 hour soap operas!). Or if it's my dad, here comes the golf channel (24 hours of old guys in funny pants whacking balls with clubs ).

Well looky here! 800 posts! Never thought I'd see the day

[InvisibleDuncan]

Apparently this one sends itself to people it selects from your address book, with an attachment that it chooses from the C:\My Documents directory. For some reason it's designed so that it doesn't always do this, though.

[Eric_B]

i think i caught the virus. my AV alerted me, but it couldn't quarantine or delete the file becoz it was d/l in progress. Anyway, i accidently executed the file.
Can someone tell me how to remove it?

Thanx in advance

[plenderj]

http://www.vbforums.com/showthread.p...threadid=91727

[jbart]

More info is here too :Virus Info