SirCam damage or infections: ...
From: Pete Sherwood (petersherwood@home.com)Date: 07/31/01
- Previous message: David Spigelman: "Code Red Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <016301c11964$48546900$0d01a8c0@sherwood> From: "Pete Sherwood" <petersherwood@home.com> To: <vuln-dev@securityfocus.com>, <SECURITY-BASICS@securityfocus.com>, <focus-virus@securityfocus.com> Subject: SirCam damage or infections: ... Date: Mon, 30 Jul 2001 21:58:23 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Greetings all,
I hate to cross post this to all three forums but the SirCam discussions
seem to be taking place in all three places but not always cross posted.
I just read about someone (in alt.comp.virus) who had his entire hard drive
wiped clean by SirCam. It's not October 16 yet! I'm trying to figure out
exactly how this happened.
My question is:
Has anyone else heard of or dealt with incidents where local or network
drives have been infected and/or wiped clean by SirCam?
Background information:
=====
From: http://sarc.com/avcenter/venc/data/w32.sircam.worm@mm.html
6. The worm is network aware, and it will enumerate the network resources
to infect shared systems. If any are found, it will do the following:
Attempt to copy itself to <Computer>\Recycled\Sirc32.exe
Add the line "@win \recycled\sirc32.exe" to the file
<Computer>\Autoexec.bat
Copy <Computer>\Windows\Rundll32.exe to <Computer>\Windows\Run32.exe
Replace <Computer>\Windows\rundll32.exe with C:\Recycled\Sirc32.exe
7. There is a 1 in 33 chance that the following actions will occur:
The worm copies itself from C:\Recycled\Sirc32.exe to %Windows%\Scmx32.exe
The worm copies itself as "Microsoft Internet Office.exe" to the folder
referred to by the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders\Startup
8. There is a 1 in 20 chance that on October 16th of any year, the worm
will recursively delete all files and folders on the C drive.
This payload functions only on computers which use the date format D/M/Y
(as opposed to M/D/Y or similar formats).
Additionally, the payload will always activate immediately, regardless of
date and date format, if the file attached to the worm contains the
sequence "FA2" without the letters "sc" following immediately.
===== end of paste =====
Given that SirCam is aware of Networks and Vulnerable Shares, I am
conjecturing that this malware may ALSO have the potential of deleting the
entire contents of someone's bootable drive if shared with no password
protection in place. This is exactly what happened with Worm.ExploreZip. At
first it was described as able to enumerate shares and infect them. Then
later many of us found out it also did extensive and serious damage to
shares : (
Thanks,
Pete Sherwood
613-260-0612 (home/office)
613-591-8900 ext. 525 (voice-mail)
PGP and Thawte digital keys available @
http://members.home.net/petersherwood/
Founding member of http://AVIEN.org
Anti-Virus Information Exchange Network
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBO2YQqromytMtxLfsEQKkMQCdGj+LS/4eCcK0MxQDBYKCxohpkmgAoJ+N
tTFiFkUbSg4x2zhUwA9nAdx7
=puNc
-----END PGP SIGNATURE-----
- Previous message: David Spigelman: "Code Red Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
