RE: SIRCAM WORM?

["Tony Spurlin" <tspurlin () vigilar com>]

http://news.cnet.com/news/0-1003-200-6647394.html?tag=tp_pr
http://news.bbc.co.uk/hi/english/sci/tech/newsid_1454000/1454155.stm
http://www.ananova.com/news/story/sm_358641.html?menu=news.technology

If Found, here are to steps to remove the Sircam Worm:
The W32.Sircam.Worm@mm Fix tool deletes the files infected with the
W32.Sircam.Worm@mm worm and removes the changes that were made to a
computer by this virus. 
NOTE: When the tool has finished running, you will see a message
indicating whether the computer was infected by the W32.Sircam.Worm@mm
worm. In the case of a removal of the worm, the program displays the
following results: 
The total number of the scanned files. 
The number of deleted files. 
The number of registry keys that were fixed.

To obtain and run the tool: 
1. Go to <http://www.symantec.com/avcenter/FixSirc.com>.
2. Download the Fixsirc.com file to the a convenient location, such as
your download folder or the Windows desktop.
3. Double-click the Fixsirc.com file to start the repair tool.
4. Click Start to begin the process, and then allow the tool to run.

What the tool does
The W32.Sircam.Worm@mm removal tool does the following: 
1. It scans and deletes files infected with the W32.Sircam.Worm@mm worm.

2. The tool removes the following registry key:

HKEY_LOCAL_MACHINE\Software\SirCam

3. In the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices

it deletes the following value:

Driver32

4. In the registry key

HKEY_CLASSES_ROOTexefile\shell\open\command

the tool modifies the [Default] value by setting it to:

"%1" %*

5. The tool removes the line "@win \recycled\sirc32.exe" from the
C:\Autoexec.bat file.

-----Original Message-----
From: borakovej [mailto:borakove () nhgri nih gov]
Sent: Monday, July 23, 2001 4:29 PM
To: Tulchinskiy, Sasha; incidents () securityfocus com
Subject: SIRCAM WORM? 


Has anyone heard of  the SirCam Worm????
----- Original Message -----
From: "Tulchinskiy, Sasha" <STulchinskiy () aspensys com>
To: <incidents () securityfocus com>
Sent: Friday, July 20, 2001 6:45 AM
Subject: RE: CodeRed


> BlackICE Agent for Servers reports it to ICECap console as
> Issue 2002608 "ISAPI extension overflow"
>
> Sasha.
>
> -----Original Message-----
> From: Ryan Russell [mailto:ryan () securityfocus com]
> Sent: Thursday, July 19, 2001 5:18 PM
> To: incidents () securityfocus com
> Subject: CodeRed
>
>
> Here's a copy of CodeRed, as captured by my elite honeypot:
>
> nc -l -p 80 > c:\gotcha
>
> It's in a password protected .zip file, password is "worm" without the
> quotes.  The zip file is only about 2K, so it shouldn't cause undue
stress
> on anyone's mail server or client.
>
> There is a rule available for Snort:
> http://www.whitehats.com/info/IDS552
>
> BlackICE defender spotted this one as "Suspicious URL":
> 39, 2001-07-19 20:05:28, 2002500, Suspicious URL, 203.138.114.17,
> st0017.nas911.sapporo.nttpc.ne.jp, x.x.x.x, , , 1,
>
> And I'm not aware of other IDS' that catch this.  (Though I'd like to
be
> corrected if that's not the case.)
>
> Ryan
------------------------------------------------------------------------
--
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see:
>
> http://aris.securityfocus.com


------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com