Sircam
Sircam
Type Mass-mailer worm
Creator
Date Discovered 2001.07.17
Place of Origin Mexico
Source Language
Platform MS Windows
File Type(s) .bat, .com, .lnk, .pif
Infection Length ~137,216 bytes*
Reported Costs $3 billion

Sircam is a worm famous for its ability to attach random documents in its email and send them along with the worm, potentially leaking sensitive, confidential and even embarrassing information. It spreads primarily through email, but is also network aware.

Behavior

Sircam arrives in an email that can be in English or Spanish, depending on the language of the sender. It contains an attachment with a double file extension, the first being that of some kind of document file, and the second being that of an executable. It will take the name and the first extension of a file that it appended to itself on the previous computer. The first extension has three possibilities, .doc, .xls, and .zip. The final extension has four possibilities, .bat, .com, .lnk, and .pif. The worm body is 137,216 bytes long, but the attachment may be longer, as it contains an actual Word, Excel or Zip file found on the machine it was previously on.

The subject of the email is the same as the file name of the attachment, but with no extension.. The message is mostly random, although the first and last lines are always the same and it may contain a few sentences in the body. The first line of the message is always "Hola como estas ?"/"Hi! How are you?". The last line of the message is always "Nos vemos pronto, gracias."/"See you later. Thanks". Variable text that may appear somewhere in the middle:

  • I send you this file in order to have your advice/Te mando este archivo para que me des tu punto de vista
  • I hope you can help me with this file that I send/Espero me puedas ayudar con el archivo que te mando
  • I hope you like the file that I sendo you/Espero te guste este archivo que te mando
  • This is the file with the information that you ask for/Este es el archivo con la información que me pediste

Sircam also has the ability to spread through networks, if the worm on the infecting computer can find a writable recycle directory on the target. If any network resources are found, Sircam attempts to copy itself to the new host's Recycle directory as Sirc32.exe. It adds the line "@win \recycled\sirc32.exe" to the Autoexec.bat file. It then renames the file Rundll32.exe in the Windows directory to Run32.exe and copies itself as Rundll32.exe.

When Sircam is run, it displays the document that Sircam picked up on the previous system in its appropriate program (eg. if the document was "Letter_to_Mistress.doc", it starts MS Word and displays this document). It copies itself to a temporary folder as XXXXX. It will also save itself to the system folder as Scam32.exe and to the Recycle bin as Sirc32.exe. The location of the Recycle bin is hard-coded in the worm as C:\Recycled rather than as some variable. This prevents or at least severely inhibits its ability to spread on Windows 2000, NT and XP, as their Recycle bins are located at C:\Recycler.

The worm adds the value "Driver32 = (system folder)\scam32.exe" to the local machine run services registry key, so the Scam.exe file will run when the system starts. It also sets the default value of the exefile command registry key to "C:\recycled\sirc32.exe %1 %*", which will run Sirc32.exe in the Recycle Bin whenever any .exe file is run. This also makes it dangerous to remove the worm, as improperly removing the key or the file it refers to may cause the computer to be unable to run an .exe file. It creates its own registry key "HKEY_LOCAL_MACHINE\Software\SirCam" which stores the following values, which themselves store information about the worm:

  • FB1B - the file name of the worm as stored in the Recycled directory
  • FB1BA - the SMTP IP address
  • FB1BB - the email address of the sender
  • FC0 - the number of times the worm has executed
  • FC1 - what appears to be the version number of the worm
  • FD1 - the file name of worm that has been executed, without the suffix
  • FD3 - a value corresponding to the current state of the worm
  • FD7 - the number of mails that have been sent prior to any interruption of this process.

There is a 1 in 33 chance that Sircam will copy itself from C:/Recyled to the Windows directory as Scmx.exe and that it will copy itself to the startup folder as "Microsoft Internet Office.exe" by referring to the registry key that refers to it.

Sircam then begins collecting email addresses to send itself to. It finds the Internet Cache and My Documents folders by checking the Internet cache and Personal Shell Folders registry keys. It looks into all files beginning with sho-, hot- and get- along with any files with a .htm file extension to find email addresses. The worm also searches the system folder for .wab (Address Book) files. It creates several .dll files in the system folder that store the email addresses. The email addresses will go to certain files depending on where they are collected from:

  • scy1.dll - Cache sho-, hot- and get- files
  • sch1.dll - My Documents sho-, hot- and get- files
  • sci1.dll - Cache .htm files
  • sct1.dll - My Documents .htm files
  • scw1.dll - Address book files

Sircam uses the same method to find files to attach to itself when it sends its email. It checks the registry keys again to find My Documents as well as the Desktop folder and lists the .doc, .xls and .zip files it finds in scd.dll, also in the system folder. Sircam randomly appends one of the files listed in tscd.dll to the executable that is sent as the email attachment.

The worm checks for an email address in the registry. If the worm finds no email address, it will check user name of the the person logged into the computer when it does its mailing routine with "prodigy.net.mx" as the server. It uses its own SMTP server to send copies of itself.

There is a 1 in 20 chance of Sircam activating a payload that deletes all files and folders on drive C on October 16 of any year. This only works when the date format is set to the European Day/Month/Year format and not on those with the North American Month/Day/Year or East Asian Year/Month/Day formats. Sircam may delete all files and folders on the C: drive immediately regardless of date or date format if the attached file it comes with contains the letters "FA2" without "sc" following immediately. A bug in the initialization of a random generator prevents this from occuring in most cases.

On any other day, there is a 1 in 50 that the worm creates the file Sircam.sys in the recycle bin, which it fills with either [SirCam_2rp_Ein_NoC_Rma_CuiTzeO_MicH_MeX] or [SirCam Version 1.0 Copyright ¬ 2000 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico] until there is no space left on the hard drive.

Effects

McAfee reported that the worm had infected 12 percent of all computers in North America and 11 percent of those in Europe. Users around the world reported receiving a wide variety of attachments in many different sizes and with different content.

The worm infected a computer in an office belonging to the executive branch of the Ukrainian government. Sircam was believed to be responsible for the release of a document containing then-president Leonid Kuchma's itinerary as well as other guarded secret information on some other Ukrainian leaders.

In the US, the worm infected computers at the National Infrastructure Protection Center. The Congressional General Accounting Office released a report (PDF) condemning the organization's poor performance, as it is one of many government agencies responsible for fighting such threats. California Senator Diane Feinstein called the agency "an important hole in our national infrastructure."

Arthur Baker of North Yorkshire, Great Britain learned that his computer was infected with the Sircam, and that the worm had sent out a document about his mother's property. He found that this document had gone to Australia, Canada and Scotland. He even received an email from someone at NASA who had received the property document. Baker had a page about the space shuttle bookmarked, which likely means that the page had an email address on it and Baker had not cleaned his cache between visiting this page and receiving the worm.

Other Facts

Some variants of Sircam can get past email virus scanners, as they have a corrupt MIME header, which causes the programs to fail to see that there is an attachment. Some Sircam worms came with the Kriz virus.

Sources

Peter Ferrie, Peter Szor. Symantec.com, "W32.Sircam.Worm@mm"

Gergely Erdelyi, Alexey Podrezov. F-Secure Antivirus, Sircam.

Mary Landesmann. About.com Antivirus, Sircam virus.

John Leyden. The Register, "Symantec fails to stop SirCam". 2001.07.27

-. -, SirCam worm enjoys virus gang bang. 2001.08.02

-. -, SirCam tops July virus charts. 2001.08.06

Thomas C Greene. -, FBI cyber-brainiacs infect themselves with SirCam. 2001.07.27

Richard Stenger. CNN Archive, World leader latest victim of 'Sircam' virus. 2001.08.03

Ian Fried. CNet News, SirCam worm still spreading documents. 2001.08.02

Richard A. Elnicki. University of Florida, Virus, Worm & Spam Costs 1.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License