SirCam32.exe

SirCam virus hides in the trash

A new virus has been discovered that has the possibility to fill up users' hard drives, delete files, distribute private documents, hide itself from typical virus scanners, and propagate itself across the Internet using the Microsoft Outlook address book.

Synopsis: SirCam is a sophisticated worm that will infect files shared over an open network so most people will never see the original infected e-mail associated with the worm. SirCam (w32.Sircam@mm) also contains a dangerous payload: It may delete all the files on the C drive in mid October. Antivirus vendors are continuing to examine the worm while reports of infection increase worldwide.

The virus is also a worm, spreading by sending itself out to all the addressees in a person's Microsoft Outlook address book, and copies itself to any shared drives it finds.

The e-mail that people get is either in English or Spanish, and the body of the message varies although it typically looks like this:

Hi! How are you?

I send you this file in order to have your advice

I hope you can help me with this file that I send

I hope you like the file that I sendo(CQsendo) you

This is the file with the information that you ask for

See you later. Thanks

SirCam also spreads among open file shares on a networked system (in other words, if you can access other directories on other machines, that's an open file share). Antivirus vendors are suggesting that many more people will be exposed to SirCam via open networks than through e-mail. It is possible that individual computers on a shared network could become infected multiple times until all instances of the worm are removed from the shared network

Patches have been available for download for most of the week from the major anti-virus software vendors. Those that don't fix their systems could have an ugly awakening October 16, Trilling says.

The last well-known virus to use a date as its trigger was the Chernobyl virus, which went off on April 26, 2000, the anniversary of the Chernobyl incident in Russia. That virus also was distributed months before the actual trigger date (August 1999), giving users plenty of time to patch their systems before the virus went off.

Solution: Visit your AntiVirus Program Manufacturer's Website for Updates.

Antivirus software companies are in the process of updating their signature files to include SirCam. For more information on removing SirCam from your system, see Sophos, Symantec, McAfee, Central Command, and Trend Micro.

Code Red Worm

The "Code Red" worm is self-replicating malicious code that exploits a known vulnerability in Microsoft IIS servers

Synopsis: The "Code Red" worm attack proceeds as follows:

  1. The "Code Red" worm attempts to connect to TCP port 80 on a randomly chosen host assuming that a web server will be found. Upon a successful connection to port 80, the attacking host sends a crafted HTTP GET request to the victim, attempting to exploit a buffer overflow in the Indexing Service described in CERT advisory.
  2. The same exploit (HTTP GET request) is sent to each of the randomly chosen hosts due to the self-propagating nature of the worm. However, depending on the configuration of the host which receives this request, there are varied consequences.
  3. If the exploit is successful, the worm begins executing on the victim host. In the earlier variant of the worm, victim hosts with a default language of English experienced the following defacement on all pages requested from the server: 
    HELLO! Welcome to http://www.worm.com! Hacked By Chinese!

    Servers configured with a language that is not English and those infected with the later variant will not experience any change in the served content.

    Other worm activity on a compromised machine is time senstive; different activity occurs based on the date (day of the month) of the system clock.

The "Code Red" worm activity can be identified on a machine by the presence of the following string in a web server log files:

In addition to possible web site defacement, infected systems may experience performance degradation as a result of the scanning activity of this worm. This degradation can become quite severe since it is possible for a worm to infect a machine multiple times simultaneously.

Non-compromised systems and networks that are being scanned by other hosts infected by the "Code Red" worm may experience severe denial of service. In the earlier variant, this occurs because each instance of the "Code Red" worm uses the same random number generator seed to create the list of IP addresses it scans. Therefore, all hosts infected with the earlier variant scan the same IP addresses. This behavior is not found in the later variant, but the end result is the same due to the use of improved randomization techniques that facilitates more prolific scanning.

Furthermore, it is important to note that while the "Code Red" worm appears to merely deface web pages on affected systems and attack other systems, the IIS indexing vulnerability it exploits can be used to execute arbitrary code in the Local System security context. This level of privilege effectively gives an attacker complete control of the victim system.

Solution: The CERT/CC encourages all Internet sites to review CERT advisory CA-2001-13 and ensure workarounds or patches have been applied on all affected hosts on your network.

If you believe a host under your control has been compromised, you may wish to refer to

Steps for Recovering from a UNIX or NT System Compromise

Since the worm resides entirely in memory, a reboot of the machine will purge it from the system. However, patching the system for the underlying vulnerability remains imperative since the likelihood of re-infection is quite high due to the rapid propagation of the worm.

Happy99.exe

In the past weeks, a virus has not only been in the news but also in many mailboxes and on many people's desktops: Happy99.exe.

Thus I can today tell you what Happy99.exe does and how to remove it once you are "infected".

If you only read Usenet news or your daily dose of email you cannot get infected with Win32/Ska. This is because the virus is a program and has to be run to do its dirty work (like any other program on your computer).

As long as you do not execute Happy99.exe (the virus itself is not known to change its name; still somebody may have altered the name of the executable) there is no danger.

Synopsis: Once you do run the virus, it will reward you with a nice new-years firework. Behind the scenes, it is preparing its firework of email messages.

Happy99.exe copies itself into the Windows system directory as SKA.EXE and puts another file, SKA.DLL in the same directory. It then backs up WSOCK32.DLL (the system library that provides Internet connectivity to Windows) as WSOCK32.SKA and modifies the original WSOCK32.DLL to use SKA.DLL when sending email or posting news.

Whenever an email message is sent via SMTP (the protocol normall used to deliver Internet email) or news gets posted to Usenet, the modified WSOCK32.DLL creates a duplicate of the message. This copy of the original message has the same recipient and subject but its body is empty -- except for Happy99.exe being attached. Such copies can be identified by a header line of X-Spanska: Yes.

The Win32/Ska virus keeps track of its victims and not send a message to one address more than one time. Recipients of a copy of Happy99.exe are listed in a file called LISTE.SKA in the Windows system folder.

Happy99.exe can modify WSOCK32.DLL only on Windows 95 and Windows 98. On Windows NT, it will copy SKA.EXE and SKA.DLL to the system folder but fail to alter WSOCK32.DLL. All other systems like Macintosh, Unix, OS/2, BeOS, Windows 3.x, DOS, Amiga are safe from Win32/Ska.

Solution: To get rid of the Win32/Ska virus we have to undo the steps described above. To be able to mess around with system DLLs you should first shut down and reboot your computer in MS-DOS mode.

DOS greets us with an almost-forgotton prompt. We change to the Windows system directory: cd \windows\system.

Here, we first restore our WSOCK32.DLL by copying the back-up copy (fortunately Happy99.exe is more carful than I am) over the modified version: copy wsock32.ska wsock32.dll. Yes, we want to overwrite WSOCK32.DLL. Now we can remove WSOCK32.SKA, but you may want to play it super-safe and not perform this step until you have rebooted and verified that everything works right: del wsock32.ska.

Then we remove SKA.EXE and SKA.DLL: del ska.exe ska.dll.

Now it's time to leave DOS alone and return to Windows: exit.

After the system rebooted you can have a look at who got Happy99.exe from you. Open \windows\system\liste.ska in your favorite editor. Delete the file. If there is no LISTE.SKA this means that Happy99.exe had no chance to attach itself to any message (because you sent none since your WSOCK32.DLL was modified).

There is one more optional step you can perform if you want your system to be real clean. If Happy99.exe cannot change WSOCK32.DLL at the very moment it is run (because WSOCK32.DLL is in use) it will add SKA.EXE to the "RunOnce" section of the system registry. Thus, SKA.EXE is execute the next time the computer starts and will perform the modifications on WSOCK32.DLL.

You can remove that registry entry with the Registry Editor. Run regedit from a DOS prompt or via the Run Start menu command. Click you way down from "HKEY_LOCAL_MACHINE" over "Software", "Microsoft", and "Windows" to "CurrentVersion". If you find "Ska.exe" under "RunOnce" remove it by pressing Del and confirming your choice. Close the Registry Editor and leave it alone.