-
SirCam is a mass mailing e-mail worm with the ability of spreading through Windows Network shares.
-
SirCam sends e-mails with variable user names and subject fields, and attaches user documents with double extensions (such as .doc.pif or .xls.lnk) to them.
-
Thw orm collects a list of files with certain extensions ('.DOC', '.XLS', '.ZIP') into fake DLL
files named 'sc*.dll'. Thw orm then sends itself out with one of the document files it found in a users' "My Documents" folder.
 |
Win32/SirCam usually arrives as an attachment to an email. This attachment contains not only SirCam itself, but an additional file (attached to the end of SirCam), which is 'stolen' from the Personal or Desktop directory of the sender's computer. When this attachment is run, SirCam will detach the stolen file and display it. The way in which the file is displayed depends on its suffix. If the suffix is .doc, SirCam will attempt to run WinWord. If this fails, then WordPad will be used instead. If the suffix is .xls, SirCam will run Excel. If the suffix is .zip, SirCam will run WinZip. If the suffix matches none of these, SirCam will run rundll32. Even if no suitable application can be found to display the file, SirCam will infect the system. It is possible that the stolen file might contain confidential information, or even macro viruses, in the case of WinWord and Excel documents, which SirCam will help to spread further.
SirCam begins installation by attempting to copy itself into the Recycle Bin. Once SirCam has placed itself in the Recycle Bin, where it is hidden from the view of programs such as Explorer, SirCam will copy itself to the System directory, using the name 'SCam32.exe'. A new value, Driver32, is placed in the RunServices key in the registry, which refers to the SCam32.exe file. Thus, the worm will run whenever Windows is booted.
Additionally, SirCam.exe installs itself as the application that handles requests to run other .exe files, by changing the exe file Open in the registry. Thus, SirCam gains control whenever an application is run. SirCam will also watch for requests to run applications in the Desktop directory. When such a request is made, SirCam will append itself to the specified file, before running the application. Thus, even if the registry is restored and the files are removed from the Recycle Bin, infected files could remain in the Desktop directory.
After installation is complete, SirCam will search the local network for computers which allow unrestricted access. SirCam will copy itself to the Recycled directory on each unprotected computer that is found and append a line to the Autoexec.bat file. The line will run the SirCam file from the Recycle Bin whenever the computer is booted. Then SirCam will rename rundll32.exe to run32.exe in the Windows directory on the remote computer, and create another copy of SirCam in its place. Neither the copying of the SirCam files to remote computers nor the emailing to other users occurs in Windows NT/2000/XP, however each of the other effects can be observed.
The date-activated trigger is formatted as dd/mm/yy which has limited sircam to a certain extent. There are two other ways in which the payload can be activated. One is by renaming one of the three files, SirC32.exe, SCam32.exe, or rundll32.exe, to another name and running that file. The other is to run an attachment whose stolen file contains the characters 'FA2' not followed immediately by the characters 'sc'. The payload deletes all files in all directories on the drive that contains Windows.
When SirCam is run for the first time, it will change Internet Explorer's Download directory (referred to by HKCU\Software\Microsoft\Internet Explorer\Download Directory in the registry) to point to the Desktop directory.
During the second execution, SirCam will gather email addresses into files stored in the System directory. SirCam searches for email addresses in Internet Explorer's Cache directory (referred to by HKCU\Software\Microsoft\ WindowsCurrentVersion\Explorer\Shell Folders\Cache in the registry), the user's Personal directory (referred to by HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal in the registry), and the directory that contains the Windows Address Books (referred to by HKCU\Software\Microsoft\WAB\WAB4\Wab File Name in the registry), in files whose name begins with 'sho', 'get', or 'hot', or whose suffix is 'htm' or 'wab'.
Then, SirCam creates a file called scy1.dll, which contains the addresses from %cache% \sho* files, sch1.dll contains the addresses from %cache%\get* and %cache%\hot* files, sci1.dll contains the addresses from %cache%\*.htm files, sct1.dll contains the addresses from %personal% \*.htm files, and scw1.dll contains the addresses found in *.wab files.
If the Address Book registry key is not found, SirCam will search for WAB files in the System directory instead. After creating the lists of email addresses, SirCam will search for files to attach to the emails that it will send. The list that is created will consist of the name of every .doc, .xls, and .zip file in the user's Personal and Desktop directory and is called scd.dll.
On the third and subsequent runs, and if an active connection to the Internet exists, SirCam will retrieve the information required to send email using SMTP. Sending mail using SMTP avoids relying on an email program such as Outlook. The SMTP information consists of the current user's email address (HKCU\Software\Microsoft\Internet Account Manager\Default Mail Account\Accounts\SMTP Email Address in the registry), the address of the email server (HKCU\Software\Microsoft\Internet Account Manager \Default Mail Account\Accounts\SMTP Server in the registry) and the user's display name (HKCU \Software \Microsoft\Internet Account Manager\Default Mail Account \Accounts\SMTP Display Name in the registry).
If this information does not exist, SirCam will use prodigy.net.mx as the email server and the user's logon name as the email address and display name. Then SirCam will attempt to connect to an email server. First, it will try the user's own email server (or prodigy.net.mx). If this fails, SirCam will attempt to connect to the email server of the person who sent the infected email. This is possible because SirCam carries within it the email information of the previously infected person. If this connection fails, then SirCam will attempt to connect to goeke.net, then enlace.net, then doubleclick.com.mx.
If one of the connections to an email server is successful, an email is constructed in the following way: if the language used on the current user's computer is Spanish, SirCam will send email in Spanish, otherwise it will use English. The email body consists of three lines.
The first line of the email body is always 'Hola como estas?' in Spanish, and 'Hi! How are you?' in English; the third line is always 'Nos vemos pronto, gracias.' in Spanish, and 'See you later. Thanks' in English. The second line is chosen from the following list, in Spanish:
'Te mando este archivo para que me des tu punto de vista'
'Espero me puedas ayudar con el archivo que te mando'
'Espero te guste este archivo que te mando'
'Este es el archivo con la informacion que me pediste''
and, in English:
'I send you this file in order to have your advice'
'I hope you can help me with this file that I send'
'I hope you like the file that I sendo you'
'This is the file with the information that you ask for'
As long as an active connection to the Internet exists, SirCam will send email to every address in each of the email lists that it created. It will send an email three times to each address in the scw1.dll list, then once each to all the other addresses, in the order: scy1.dll, sch1.dll, shi1.dll, and sht1.dll, before starting again with scw1.dll. SirCam keeps the current mailing position in the registry, so if the connection is broken and restored later, SirCam can continue to send mail as though it were never interrupted. SirCam ensures that the current user never receives an email from SirCam. In the case that the recipient is the current user, SirCam will send the mail instead to email address <otrorollo@esmas.com.>
For each email it sends, SirCam will randomly select a file from the scd.dll list, prepend itself to that file, attach an additional extension, chosen randomly from 'pif, 'lnk', 'bat', or 'com', and send the email. If an Internet connection exists for long enough, eventually every recipient will receive multiple copies of every file in the list, and among those copies all four of the random extensions will be represented. To avoid overloading email servers, SirCam remains idle for one minute between sending each email.
Posts
0 comments:
Post a Comment