'Re: SirCam damage or infections: ...'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-virus
Subject:    Re: SirCam damage or infections: ...
From:       "Oliver Rochford" <webmaster () meridian-consulting ! de>
Date:       2001-07-31 16:36:37
[Download RAW message or body]

Yes,
three infected machines were unable to reboot, although I didn`t check
wether the Harddrive was wiped clean, or just the master boot record.
Oliver Rochford

Oliver Rochford

Meridian Computer
Grossestr.58
49565 Bramsche
Tel:05461969696
Fax:05461945372
www.meridian-computer.de
----- Original Message -----
From: Pete Sherwood <petersherwood@home.com>
To: <vuln-dev@securityfocus.com>; <SECURITY-BASICS@securityfocus.com>;
<focus-virus@securityfocus.com>
Sent: Tuesday, July 31, 2001 3:58 AM
Subject: SirCam damage or infections: ...


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Greetings all,
>
> I hate to cross post this to all three forums but the SirCam discussions
> seem to be taking place in all three places but not always cross posted.
>
> I just read about someone (in alt.comp.virus) who had his entire hard
drive
> wiped clean by SirCam. It's not October 16 yet!  I'm trying to figure out
> exactly how this happened.
>
> My question is:
>
> Has anyone else heard of or dealt with incidents where local or network
> drives have been infected and/or wiped clean by SirCam?
>
> Background information:
> =====
> From: http://sarc.com/avcenter/venc/data/w32.sircam.worm@mm.html
>
> 6. The worm is network aware, and it will enumerate the network resources
> to infect shared systems. If any are found, it will do the following:
> Attempt to copy itself to <Computer>\Recycled\Sirc32.exe
> Add the line "@win \recycled\sirc32.exe" to the file
> <Computer>\Autoexec.bat
> Copy <Computer>\Windows\Rundll32.exe to <Computer>\Windows\Run32.exe
> Replace <Computer>\Windows\rundll32.exe with C:\Recycled\Sirc32.exe
>
> 7. There is a 1 in 33 chance that the following actions will occur:
> The worm copies itself from C:\Recycled\Sirc32.exe to %Windows%\Scmx32.exe
> The worm copies itself as "Microsoft Internet Office.exe" to the folder
> referred to by the registry key:
>
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
> Folders\Startup
>
> 8. There is a 1 in 20 chance that on October 16th of any year, the worm
> will recursively delete all files and folders on the C drive.
> This payload functions only on computers which use the date format D/M/Y
> (as opposed to M/D/Y or similar formats).
>
> Additionally, the payload will always activate immediately, regardless of
> date and date format, if the file attached to the worm contains the
> sequence "FA2" without the letters "sc" following immediately.
>
> ===== end of paste =====
>
> Given that SirCam is aware of Networks and Vulnerable Shares, I am
> conjecturing that this malware may ALSO have the potential of deleting the
> entire contents of someone's bootable drive if shared with no password
> protection in place. This is exactly what happened with Worm.ExploreZip.
At
> first it was described as able to enumerate shares and infect them. Then
> later many of us found out it also did extensive and serious damage to
> shares : (
>
> Thanks,
> Pete Sherwood
> 613-260-0612 (home/office)
> 613-591-8900 ext. 525 (voice-mail)
> PGP and Thawte digital keys available @
> http://members.home.net/petersherwood/
> Founding member of http://AVIEN.org
> Anti-Virus Information Exchange Network
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBO2YQqromytMtxLfsEQKkMQCdGj+LS/4eCcK0MxQDBYKCxohpkmgAoJ+N
> tTFiFkUbSg4x2zhUwA9nAdx7
> =puNc
> -----END PGP SIGNATURE-----
>
>

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic