W32/Sircam-A is a network-aware worm. The worm spreads via email and by using open network shares. The worm arrives in an email with a random subject and body text. The attached filename is also randomly chosen, but it has a double extension (for instance, .doc.com or .mpg.pif).
If the attachment is opened, the worm copies itself into the Windows System directory with the filename scam32.exe. The worm also copies itself as a file called sirc32.exe to the Recycled files directory with its file attributes set to hidden. The worm changes the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\Driver32
so that it runs on Windows startup. The registry key:
HKLM\SOFTWARE\Classes\exefile\shell\open\command
is also changed so that the worm runs before any other executable file is opened. If the worm finds any open network share, it will attempt to copy itself into the Windows directory on the machine with an open share, with the filename rundll32.exe. The original rundll32.exe file is renamed to run32.exe. If this is successful, the worm changes the file autoexec.bat so that it includes a command to run the worm file previously dropped to the Windows directory.
The worm contains its own SMTP routine, which is used to send email messages to email addresses found in the Windows address book and the temporary internet folder, where cached internet files are kept.
When a recipient opens this attachment, his system gets infected and then the included document is displayed. This way the worm's activity is disguised. Messages sent by the worm look like this:
Subject: Document file name (without extension)
From: [user_of_infected_machine@...]
To: [random@...]
Hi! How are you?
I send you this file in order to have your advice
See you later! Thanks
http://antivirus.about.com/library/weekly/aa071801a.htm
In Microsoft® Windows, the 'My Documents' folders is one of the most accessible, whether from the desktop, Windows Explorer, or the default save to location in many programs. As a result, many use it as a repository for all their data files - even those which contain sensitive or confidential information. This practice has never been a good idea as it gives ill-intentioned intruders a virtual roadmap to your personal and work output. The SirCam worm takes the vulnerability one step further, using the contents of the folder to package and disguise itself to others.
Sircam, (a.k.a. I-Worm.Sircam, W32.Sircam, and W32/SircCam) mass mails itself using addresses found in the Windows Address Book and in cached email addresses found on the system. The attachment it sends is a compilation of its infection routine and a file found in the My Documents folder. The original name of the file is left intact, with an executable extension appended to it. For example, .PIF, .COM, or .EXE would be added to the orginal filename, thus myphoto.jpg would become myphoto.jpg.exe. Users who did not have file extension viewing enabled would see only the original extension and in the example above, could be tricked into believing an executable file was actually a harmless image file.
The worm then mails itself in an email with following message body:
Hi! How are you?
I send you this file in order to have your advice
See you later! Thanks
The subject line of the email is the name of the orginal file. When the infected attachment is executed, whatever file was "lifted" from the sender's My Document folder is displayed, thus disguising the SirCam worm's actions. This is particularly risky, as an infected user who stores confidential data in the My Documents folder could easily find proprietary and sensitive data mass-mailed to others.
SirCam then copies itself to the Recycle Bin, C:\recycled\SirC32.exe, in an attempt to avoid detection by some antivirus scanners. The worm modifies the registry, [HKEY_CLASSES_ROOT\exefile\shell\open\command], so that the worm is run first when any .EXE on the system is run. This method makes improper removal of the worm a dangerous proposition. If the worm is deleted before the registry modification is corrected, no .EXE on the system will run.
http://groups.yahoo.com/group/asidharta/message/616
Tidak ada komentar:
Posting Komentar