Security Incidents mailing list archives
RE: SIRCAM WORM?
From: "Tony Spurlin" <tspurlin () vigilar com>
Date: Tue, 24 Jul 2001 11:03:27 -0400
http://news.cnet.com/news/0-1003-200-6647394.html?tag=tp_pr http://news.bbc.co.uk/hi/english/sci/tech/newsid_1454000/1454155.stm http://www.ananova.com/news/story/sm_358641.html?menu=news.technology If Found, here are to steps to remove the Sircam Worm: The W32.Sircam.Worm@mm Fix tool deletes the files infected with the W32.Sircam.Worm@mm worm and removes the changes that were made to a computer by this virus. NOTE: When the tool has finished running, you will see a message indicating whether the computer was infected by the W32.Sircam.Worm@mm worm. In the case of a removal of the worm, the program displays the following results: The total number of the scanned files. The number of deleted files. The number of registry keys that were fixed. To obtain and run the tool: 1. Go to <http://www.symantec.com/avcenter/FixSirc.com>. 2. Download the Fixsirc.com file to the a convenient location, such as your download folder or the Windows desktop. 3. Double-click the Fixsirc.com file to start the repair tool. 4. Click Start to begin the process, and then allow the tool to run. What the tool does The W32.Sircam.Worm@mm removal tool does the following: 1. It scans and deletes files infected with the W32.Sircam.Worm@mm worm. 2. The tool removes the following registry key: HKEY_LOCAL_MACHINE\Software\SirCam 3. In the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\RunServices it deletes the following value: Driver32 4. In the registry key HKEY_CLASSES_ROOTexefile\shell\open\command the tool modifies the [Default] value by setting it to: "%1" %* 5. The tool removes the line "@win \recycled\sirc32.exe" from the C:\Autoexec.bat file. -----Original Message----- From: borakovej [mailto:borakove () nhgri nih gov] Sent: Monday, July 23, 2001 4:29 PM To: Tulchinskiy, Sasha; incidents () securityfocus com Subject: SIRCAM WORM? Has anyone heard of the SirCam Worm???? ----- Original Message ----- From: "Tulchinskiy, Sasha" <STulchinskiy () aspensys com> To: <incidents () securityfocus com> Sent: Friday, July 20, 2001 6:45 AM Subject: RE: CodeRed
BlackICE Agent for Servers reports it to ICECap console as Issue 2002608 "ISAPI extension overflow" Sasha. -----Original Message----- From: Ryan Russell [mailto:ryan () securityfocus com] Sent: Thursday, July 19, 2001 5:18 PM To: incidents () securityfocus com Subject: CodeRed Here's a copy of CodeRed, as captured by my elite honeypot: nc -l -p 80 > c:\gotcha It's in a password protected .zip file, password is "worm" without the quotes. The zip file is only about 2K, so it shouldn't cause undue
stress
on anyone's mail server or client. There is a rule available for Snort: http://www.whitehats.com/info/IDS552 BlackICE defender spotted this one as "Suspicious URL": 39, 2001-07-19 20:05:28, 2002500, Suspicious URL, 203.138.114.17, st0017.nas911.sapporo.nttpc.ne.jp, x.x.x.x, , , 1, And I'm not aware of other IDS' that catch this. (Though I'd like to
be
corrected if that's not the case.) Ryan
------------------------------------------------------------------------ -- --
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: SIRCAM WORM? Tony Spurlin (Jul 24)