 |
 |
||
|
The Sircam Virus and how to delete it |
|||
|
On 17th or 18th July, a new virus called "Sircam" was discovered, and anti-viruses could not detect it. It sent e-mail to all the address book contacts and to the addresses it found on the Web pages visited on the Internet. It attached a document or an image from the infected computer, the size of which could be rather heavy. This, together with the rapid spread it had, is why many server providers and e-mail boxes were overloaded soon after Sircam was launched into the Net. It expanded so fast because on many occasions the sender was an acquaintance. Besides, the subject was taken from the attached file, which made everything seem normal. The message itself was cunning: I send you this file in order to have your advice. See you later. Thanks. There are some small variations, but the content is very similar. It was written in English or in Spanish. Follow the instructions (given next) about how to delete "Sircam" if your anti-virus program does not detect it. The first thing you should do is to update your anti-virus program because they already detect it, but if, for any reason, you cannot or do not want to, then you should bear in mind that it is located in the recycled folder and in the Windows "system" directory. In the recycled bin, there are two hidden copies: "Sirc32.exe", and the one that creates the extension when messages are sent. In the "system" folder, there is a file called "Scam32.exe". Enter "C:\windows\system", and erase the file"Scam32.exe". Immediately afterwards, in MS-DOS mode ("Start" menu; then, "programs"), write the following: "C:\windows>cd.. (hit the "enter" key or "intro") "C:\>cd recycled" (enter) "C:\recycled>attrib -h -r -s" (enter) "C:\recycled>del sirc32.exe" (enter; if you notice another file with the virus, destroy it as well; type "C:\recycled>dir" to see what the recycle bin contains) "C:\recycled\>exit" (enter) Now, on the Start menu, click on "Run", and write: "regedit bat". If nothing happens, type "C:\>copy regedit.exe regedit bat", and then put "regedit.bat" again. The following window will be displayed: 
The next step is to look for the following: "sirc32" and "scam32", and to remove all the entries the virus has from the registry. Instead of the following line: "C:\recycled\sirc32.exe", you should type "%1"%*, that is, inverted commas, the percentage symbol, one, inverted commas, the percentage symbol and an asterisk. Save all the changes and close the registry editor. If you make a mistake and have problems with your computer, write the following in MS-DOS mode: "C:\>scanreg/restore", and pick up a registry from the ones that you will see there, but make sure that it is virus-free by checking the date. Next, click on the Start menu button, and select "search". Type "rundll32.exe", and check up the size of the file. If it is bigger than 24 Kb, that is, about 131 Kb, then, in MS-DOS mode, write the following: "C:\windows>attrib -h -r -s rundll32.exe" (enter) "C:\windows>del rundll32.exe" (enter) Now, rename this file: "run32.exe", which is the old "rundll32.exe", but the virus has changed its name, and type: "C:\windows>attrib -h -r -s run32.exe" (enter) "C:\windows>ren run32.exe rundll32.exe" (enter) Then, write "C:\>edit autoexec.bat", and if you see the following: "@win\recycled\SirC32.exe", erase it. Click on the Start menu, choose "search", and type "scd1.dll", and, later, "sdc.dll". If you find them, delete them, as the former stores the e-mail sent by the virus, and, the latter attaches the documents to the e-mail. Finally, turn off your computer and wait for a few seconds. Then, search your computer for the infected files ("Start" menu), and if you do not find any, congratulations, as you have removed the virus. By having done all these steps, the virus should have been stopped. However, it would be a wise thing to update your anti-virus program, and scan your computer. Miquel Molina i Diez miquel@polseguera.com Polseguera.com July, 2001
|
|||
|
info@polseguera.com |