Welcome to the Virus Encyclopedia of Panda Security.
Sircam activates whenever a file with an EXE extension is run, until it has performed this operation 8000 times. Once activated, it has the following effects:
- It steals personal data on infected users, such as the e-mail address and the address of the SMTP server from which the infected message was sent.
- It deletes folders from the hard disk.
This only happens when the copy of the worm that is running contains the text string F2 and is followed by another text other than SC.
- It uses up all the free space on the hard disk.
In order to do this it creates a file called SIRCAM.SYS and writes text inside it until it uses all the hard disk space. This happens 1 in every 50 times that Sircam carries out it effects.
- In some cases, Sircam does not allow files with an EXE extension to be run.
In order to carry out its infection, Sircam creates the following files:
- SIRCAM.SYS in the Recycle Bin. Sircam writes text inside this file until it uses all the hard disk space.
- SIRC32.EXE is a copy of Sircam, which is located in the Recycle Bin.
- SCAM32.EXE is a copy of Sircam, which is placed in the Windows System directory.
It contains data after the text string FA. For more information on this data, click here.
- SCD.DLL is hidden and contains a list of the files in the C:\My documents folder.
- SCx1.DLL contains a list of address to which the virus will send itself. The x character represents one of the following letters: Y, H, I and T. Therefore, the file name would be: SCY1.DLL, SCH1.DLL, SCI1.DLL or SCT1.DLL.
- Sircam also creates a file with the same name as the file attached to the e-mail message. This file is placed in the Recycle Bin and has only one extension.
In order to ensure that it activates and carries out its infection, Sircam modifies the following entries in the Windows Registry:
- HKEY_CLASSES_ROOT\ exefile\ shell\ open\ command\ Default,
"C:\ recycled\ SirC32.exe" "%1" %*
This allows the virus to be activated whenever a file with an EXE extension is run.
- HKEY_LOCAL_MACHINE\ Software\ Mocrosoft\ Windows\ CurrentVersion\ RunServices\
Drivers32= c:\ windows\ system\ Scam32.exe
Through this modification the virus can be run later on.
Sircam uses this entry to save data.
For more information on the values it adds to this entry and their functions, click here.
Means of transmission
Sircam spreads via e-mail and networks with Windows NT workstations, in the following way:
Infection carried out via e-mail follows this routine:
If the file attached to the message is run, Sircam infects a file in the victim computer by copying itself to the beginning of it.
It adds a second extension to the infected file (such as VBS or JPG).
- It spread automatically by sending the file that it has just infected to all the contacts in the Address Book.
It also looks for other e-mail addresses in files that meet any of the following requirements:
Its name starts with “SHO” (sho*.). The addresses it finds are stored in the file SCY1.DLL.
Its name starts with “GET” (get*.). The addresses it finds are stored in the file SCH1.DLL.
Its name starts with “HOT” (hot*.). The addresses it finds are stored in the file SCH1.DLL.
Web pages with an HTM extension. The addresses it finds are stored in the files SCI1.DLL and SCT.DLL.
Word documents with a DOC extension. The addresses it finds are stored in the file SCD.DLL.
Excel spreadsheet with an extension. The addresses it finds are stored in the file SCD.DLL.
Compressed files in WinZip with a ZIP extension. The addresses it finds are stored in the file SCD.DLL.
Address books with a WAB extension. The addresses it finds are stored in the file SCW.DLL.
Infection carried out via networks with Windows NT workstations follows this routine:
- Sircam finds the mapped network disk drives on the infected computer.
- It looks for the communication ports available in the mapped drives it has found. Its objective is to spread through the network by sending itself through each of these ports.
It scans the \Recycled and \Windows directories and the \Windows\Run32.exe and \ Windows\ Rundll32.exe files in the mapped drives it has found.
If it does not find these files, it does not infect these mapped drives.
If it finds the \Recycled directory, it copies the file SIRC32.EXE in it and inserts the line @win \recycled\SirC32.exe in the AUTOEXEC.BAT file. By doing this it will infect the computer the next time it is started up.
If it finds the \Windows\system directory, it copies the file SCAM32.EXE to it and runs it.
- It infects the RUNDLL32.EXE system file.
- It looks for Word documents with a DOC extension in the \MY DOCUMENTS directory. If it finds them, it saves them in the file SCD.DLL in order to send itself to them.
- The code corresponding to the source program of Sircam contains the following copyright text, which indicates the possible origin of the worm:
[SirCam Version 1.0 Copyright. 2001 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico]
- Each file it creates in the infected computer (copies of itself) contains data that Sircam uses to achieve its goals. This data provides information to Sircam and is stored in files in the following way:
The string SC is added to the string FA2, resulting in: FA2sc.
The e-mail address of the user that has sent the infected message is added to the string FA5. For example: FA5travel@maui.net.
To the FA8 string, it adds a number that represents the offset of the file that Sircam has included after the worm. For example FA8123456 indicates that the offset of the file is 123,456 bytes.
In the case of the SIRC32.EXE file (copy of the worm), there are only eight blank spaces after the FA8 string.
To the FA9 string, it adds the name of the SMTP server that corresponds to the user that has sent the infected message. For example: FA9smtp.maui.net.