|
 |
|
 |
| Tuesday, February 07, 2012
|
| Register Login |
 |
|
|
|
|
Users currently online
|
 |
|
|
|
 |
Membership: |
 |
Latest:
kevin |
 |
New Today:
0 |
 |
New Yesterday:
0 |
 |
Overall:
56 |
 |
People Online: |
 |
Visitors:
5 |
 |
Members:
0 |
 |
Total:
5 |
Online Now:
|
|
|
|
|
|
|
|
|
|
Welcome to the Viruswarning forums. All your original content has been ported to the new forums as well as new content and additional opportunities to interact with the authors of Viruswarn.com. You can always access old content at www.leedrake.com/forum . You may find some formatting was lost in the conversion and the older versions of the posts to be more readable....
But at least it's all here.
Enjoy!
|
|
|
|
|
|
Viruswarn Forums
|
|
|
|
|
| You are not authorized to post a reply.
|
|
| Author |
Messages |
|
Lee Drake
Posts:238
 |
| 05/20/2002 1:33 PM |
|
| Network Associates, Inc. interrupted my work this Monday evening to deliver an unscheduled virus signature set and the bulletin at http://vil.nai.com/vil/virusSummary.asp?virus_k=99141 about the W32/SirCam@MM Internet worm. There is also a detailed write-up that says most of the same things on the Symantec Web site at http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html.
CAUTION: As with many recent worms, this one uses double file extensions. What this means is that the attachment will be called something like Confidential.doc.lnk or Confidential.doc.pif. Both of these special extensions refer to different types of desktop shortcuts. They are classified as executable, so if you click on them, they run programs.
Background
This worm works differently in several ways than have most of the recent worms about which we have written.
New Hiding Places
This is the first worm of which I am aware that hides itself in the Recycle Bin! It actually sets a Registry key to point to the file that it hides there and actually runs it. After all, the Recycle Bin is just a hidden system folder.
Finding New Victims
Unlike many recent worms, this one does not need Microsoft Outlook in order to spread. Rather, it looks in two other places for addresses: the Windows Address Book and the cache for your Web browser. It tries to find E-Mail addresses embedded in cached pages in your Netscape Cache folders or your Internet Explorer Temporary Internet Files folders, either of which can be easily located using well known Registry keys.
How It Spreads
In addition to gathering addresses of new victims from two rather unusual sources, this worm tries to connect directly to a SMTP server, using information that it appears to take with it from the computer that sent it to you. If that user's SMTP server cannot be used because it is not an open relay, it tries the following list until it succeeds:
doubleclick.com.mx
enlace.net goeke.net
What It Sends
Finally, this worm may succeed in stealing confidential information. It does this by embedding files that it finds on your Desktop and in your Personal folder (My Documents) into the outbound package. It looks for Excel, Word, Zip, and EXE files in both locations.
Other Random Effects
The document at http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html on the Symantec AntiVirus Research Center site lists numerous other effects that occur randomly, including filling up your hard drive with garbage, deleting files, and looking for open NETBIOS shares to infect.
What You Should Do
As always, the best advice is to always refrain from opening unexpected attachments, even from people whom you know.
In addition:
Update your anti-virus signatures. For McAfee, the minimum scan engine is 4.0.70 and the minimum data file set is 4148; you can check your version by right-clicking on the VirusScan icon in the task tray and choosing About. The Symantec site doesn't specify; it just instructs you to run LiveUpdate.
If you are not already scanning all files, at a minimum, add the PIF and LNK extensions to the list. It's getting to the point that you may want to seriously consider setting your scanner to scan all files, though. Though the write-up at the Network Associates Web site implies that the SuperDat update program will take care of adding to the list of scanned extensions for you, when I installed the update on my two computers, it did not do so. To view and update the list, right click the VirusScan icon and choose Setup, then System Scan from the context menu. Click the button marked Extensions to view or add to the list.
Empty the Recylce Bin. Also consider adding the Recycle Bin to the list of scanned folders. By default, it is generally excluded. However, this worm hides and actually runs from the Recycle Bin.
If you become infected and you are running Windows ME, see the note at the bottom of the write-up on the Network Associates Web site at http://vil.nai.com/vil/virusSummary.asp?virus_k=99141 for special instructions about cleaning up your backup directory.
This concludes this VirusWarn message.
Please practice safe computing.
Lee Drake, Moderator |
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
|
|
|
|
|
|
|
|
|
|