The Shakespeare Conference: SHK 12.1943  Saturday, 4 August 2001

From:           Hardy M. Cook <This email address is being protected from spambots. You need JavaScript enabled to view it.>
Date:           Saturday, August 04, 2001
Subject:        TROJ_SIRCAM.A

Dear SHAKSPEReans:

I normally do not post messages to the list that involve viruses. In the
past, the majority of these viruses were hoaxes or myths. This is not
the case nowadays. There is a particularly nasty worm on the Internet
now -- TROJ_SIRCAM.A. Trend Micro, makers of PC-cillin antivirus
software <http://www.antivirus.com/>, identify it as the most active
virus on the Internet last week. This list has received probably 300
messages that are infected with it. Fortunately, PC-cillin identifies
these message bombs, and all one has to do is delete the file and thus
avoid becoming infected. In fact, it is a very good idea to delete any
e-mail that has an attachment with these .com, .pif, .inf, .exe
extensions. Opening a file with one of these extensions, most likely
will infect your computer and in turn all of the people in your e-mail
address book. One member of this list has had to signoff because his
computer became infected. The other day, Bruce Young sent this message:

A couple of days ago I received an e-mail from another member of this
list with an odd message ("Hi! How are you? I send you this file in
order to have your advice.  See you later. Thanks") and an attachment.
The only thing is, he never sent the e-mail.  Apparently it was sent
automatically as a result of the SirCam virus infecting his computer or
that of someone else on the list. What confirms this theory is that he
and I have never corresponded by e-mail before; our only contact appears
to be through membership on SHAKSPER.

The Southwest Texas State computer help desk sent me the following
interesting message:

The Sircam virus is an all-out epidemic at this point, chiefly because
it spreads through mechanisms just like the ones you described. If you
are in a news or chat group that requires you to send and receive
cookies, then your email address probably slipped into [the sender's]
cache file.  once infected, the worm sends mass mail to everyone in that
cache, thus the rapid spread of this virus.

What is, perhaps, even more interesting, is that the e-mail didn't
necessarily come from [the supposed sender]. The Sircam virus can attach
random recipients' names to the "from" line of the email message. Thus,
anyone on the discussion list who is infected may have pulled both your
email address and [another] email address from their computer's internet
cache file and sent the email.

It is a highly sensible idea to instruct all parties on the discussion
list to scan their computers for the Sircam virus, especially since most
email readers do not view the message headers of their new mail and
cannot truly identify a sender of these virused attachments.

I would add my encouragement to everyone on SHAKSPER to check their
computers for the virus, checking first in the recycle bin but then on
the computer in general, as noted in the following instructions, I
believe from an infected friend of mine: "Click on your recycle bin
(that's where the virus hides at first), then, to be sure, perform a
Search on your computer (if you're using Windows, use the  "Find"
feature) to look for files named SirC32.exe or SCam32.exe.  If these
files appear, you are infected."

I have information on how to get rid of the virus, but I'll assume for
now that anyone who is infected will know what to do or will get
professional help.  Apparently your computer can crash while you are
trying to get rid of the virus.  But not getting rid of it is even

Good luck.
Bruce Young

Bruce's advice is good. Nonetheless, no one can receive a virus/worm
from messages from SHAKSPER, the reason being that these messages are
text files with no attachments. To become infected, the user has to open
an infected attachment. Below is the information that Trend Micro has on
TROJ_SIRCAM.A. I am not associated with Trend Micro other than being a
satisfied user of PC-cillin.


- - - - - - - - - - -
Trend Micro



SCAM.A, TROJ_SCAM.A, W32.Sircam.Worm@mm

Risk rating:  Medium Risk
Virus type:   Trojan
Destructive:  Y

This worm is a high-level program created in Delphi that propagates via
email using SMTP commands. It sends copies of itself to all addresses
listed in an infected user's address book and in temporary Internet
cached files. It arrives with a random subject line, and an attachment
by the same name.

This worm also propagates via shared network drives.

To manually remove the Trojan

Restore your system configurations through the registry.

If you are connected to the network, disconnect your computer from the

Rename REGEDIT.EXE to REGEDIT.COM. If you want to use the fix tool,
there is no need to rename the file

Click Start>Run, type REGEDIT and then press Enter.

In the left panel, click the (+) left of each of the below:

In the right panel, look for and then delete the registry value called

In the left panel, click the (+) left of each of the below:

Click SirCam and then press the Delete key.

In the left panel, click the (+) left of each of the below:

In the right panel, right-click the (Default) value, then choose Modify.
Change "C:\Recycled\SirC32.exe""%1"%* to "%1" %*. In other words, remove

(continued from profile page)

In the wild: Yes
Trigger condition 1: Upon execution
Payload 1: Deletes Files (propagates via email and shared network
Detected by pattern file#: 917
Detected by scan engine#:  5.450
 English, Spanish
Platform: Windows
Encrypted: No
Size of virus: 137,216 Bytes

This worm arrives as an email attachment with two extension names (i.e
FNAME.EX1.EX2). FNAME.EX1 is a random file chosen from an infected
user's personal folder, referred to in the below entry:

Explorer\Shell Folders, Personal

EX2 can have a .LNK, .EXE, .COM, .BAT or .PIF filename. The email
arrives in English or Spanish as follows:
Subject:(name of attached file)
Message Body:
Hi! How are you?
I send you this file in order to have your advice
See you later. Thanks

Hola como estas ? Te mando este archivo para que me des tu punto de
Nos vemos pronto, gracias.

Line 2 of the message can also be any of the following:
I hope you like the file that I sendo you
This is the file with the information that you ask for
I hope you can help me with this file that I send

Este es el archivo con la informacion que me pediste
Espero te guste este archivo que te mando
Espero me puedas ayudar con el archivo que te mando

The attachment is a copy of the worm merged with a randomly chosen file
from the sender's computer. When opened, it copies the worm to hidden
files, SCAM32.EXE in the System directory and SIRC32.EXE in the Recycled
The worm modifies the below to execute at every Windows startup:


It modifies the below to execute when an .EXE file is run:
HKCR\exefile\shell\open\command= ""C:\Recycled\SirC32.exe" "%1" %*

It also creates the below registry where it stores its data:

To hide its malicious activities, it extracts the appended host file to
the Temp and Recycled folders, then opens it with the default
application it is associated with (.DOC with MS Word or Wordpad, .XLS
with MS Excel, .ZIP with WinZip). The Temp folder varies depending on a
computer's setting. Infected users may use the "set" command in the
command prompt to check this folder's actual path.
The worm then searches for files containing email addresses such as .WAB
(Windows Address Book) and .HTM, and sends emails to the addresses. The
host file appended at the end of the worm may contain a .DOC, .XLS, or
.ZIP file that is taken from a folder specified in the below entry:

CurrentVersion\Explorer\Shell Folders, Personal

It saves the path and filename of host files to the SCD.DLL file and the
email addresses it gathered to SC??.DLL files (i.e SCI1.DLL and
SCW1.DLL), all hidden and saved in the Systemdir (C:\Windows\System)
The worm file stores in the registry the number of email addresses

To propagate, it tries to connect to the server that sent an infected
email. If it fails, it tries to connect to three other email servers
whose addresses are stored within the worm body and are random in
nature. Upon connection, it uses a stored list of SMTP commands to
create and send mail over the Internet.

To infect via shared drives, it lists all existing connections. If it
finds a folder with write access, it searches for and copies itself to
SIRC32.EXE in the Recycled folder. If it finds an AUTOEXEC.BAT file in
the folder, it opens this and appends:

It searches the shared folder for a Windows directory, then copies
RUNDLL32.EXE to RUN32.EXE and itself to RUNDLL32.EXE.

When a computer is infected via the network, it activates only upon
reboot. NT-based OS are safe from this type of attack.

Occasionally, it copies itself to files other than SIRC32.EXE,
SCAM32.EXE, or RUNDLL32.EXE. When executed, it deletes all files and
folders in the system. Not all files in the default Windows folder are
erased since some may currently be in use.

S H A K S P E R: The Global Shakespeare Discussion List
Hardy M. Cook, This email address is being protected from spambots. You need JavaScript enabled to view it.
The S H A K S P E R Webpage <http://ws.bowiestate.edu>

Subscribe to Our Feeds


Make a Gift to SHAKSPER

Consider making a gift to support SHAKSPER.