Virus Database

I-Worm.Sircam

Description I-Worm.Sircam

This is a dangerous worm that spreads via the Internet and local network. The worm itself is a Windows application written in Delphi about 130K in size. While spreading, the worm may append to its file an additional DOC, XLS, ZIP and other files (see below), so the attached file length can be more than 130K.
Upon being executed (by clicking on the attached file for instance), it installs itself into the system, then sends infected messages (with its attached copy), infects local network computers (if there are drives shared for full access), and depending on system date, runs its payload routine.
E-mail Spreading
The worm sends itself from infected machines as an attached file with a variable name and double extension:
filename.ext1.ext2
where "ext1" can be one of the following variants: DOC, XLS, ZIP, or EXE.
The worm from the following variants randomly selects the "ext2" extension: PIF, LNK, BAT, COM. For example:
feb01.xls.pif
normas.doc.bat
The "filename.ext1" comes from the original files that are located on an infected machine. The worm looks for a "ext1" file on a machine and obtains its name as an attach name. The worm then obtains the file contents and appends them to itself, and sends the result. So the infected files that are sent out of an infected machine contain two parts: 1: the worm's EXE code; 2: appended extra data that are a randomly selected DOC/XLS/ZIP/EXE file from an infected machine. This appended file is then used by the worm to disguise its activity (see below).
As a side effect such an "appended file" spreading method may cause confidential info disclosure.
The worm message Subject is "filename" as above (exactly the "filename" of the attached file).
The Body can be in two languages: English and Spanish. The first and last lines of the message body are always the same:
first line:Hi! How are you?Hola como estas ?
last line:See you later. ThanksNos vemos pronto, gracias.

The variants of text between these lines are:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I send to you
This is the file with the information that you ask for
Te mando este archivo para que me des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es el archivo con la información que me pediste
The worm obtains a victim's e-mail addresses by scanning files that may contain them: SHO*, GET*, HOT*, *.HTM, *WAB, and some others. The result of the search is then stored by the worm in fake DLL files in a system directory:
SCD.DLL file contains list of "ext1" files
SCH1.DLL, SCI1.DLL files contain a list of e-mail addresses located in scanned files.
There can also be SCT1.DLL and SCY1.DLL files found in a system directory, the worm stores additional data there.
To send infected messages the worm connects to a SMTP server. The name of SMTP server the worm gets from default system settings. If the worm fails to get default server, it tries following ones:
dobleclick.com.mx
enlace.net
goeke.net
Installation to System
The worm copies itself to:
RECYCLED directory on a Windows drive with the SirC32.exe name, for example:
C:WINDOWSC:RECYCLEDSirC32.exe
Windows system directory with the SCam32.exe name.
Windows directory with the ScMx32.exe name.
Windows start-up directory with the "Microsoft Internet Office.exe" name.
Note that not all these steps are performed by the worm upon the first start-up - some of the files are created there depending on different conditions.
The attributes of all these files are then set to "Hidden".
Two first files then are registered in the system-registry auto-run keys:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
Driver32 = %windows system directory%SCam32.exe

HKCRexefileshellopencommand
SirC32.exe
The worm then extracts an appended "decoy" file (see above) to the Windows TEMP directory, with the "decoy" file having the "filename.ext1" name. The worm then opens this file with WINWORD.EXE or WORDPAD.EXE, EXCEL.EXE, WINZIP.EXE depending on "ext1".
The worm also creates additional registry keys and stores its internal data in here, with the name of the key being HKLMSOFTWARESirCam.
Network Spreading
To spread over a local network, the worm enumerates all network resources (obtains all shared directories on remote machines), and then copies itself to here. If there is a " ecycled" directory in the victim's shared directory, the worm copies itself to this directory with the SirC32.exe name:
ecycledSirC32.exe
The worm then appends to the end of the AUTOEXEC.BAT file the following command:
@win ecycledSirC32.exe
If there is a "Windows" directory, the worm renames the RUNDLL32.EXE file to the RUN32.EXE name, and then overwrites the original RUNDLL32.EXE with its own copy.
The worm then sets hidden attributes to its copies.
Payload
Depending on the system date and time, the worm in one case out of 20, randomly deletes all files in all directories on drive where Windows is installed, and removes all directories in there as well.
Upon each start-up in one case out of 50, the worm randomly creates a SirCam.Sys file in the root of the current drive and writes one of following texts there:
[SirCam_2rP_Ein_NoC_Rma_CuiTzeO_MicH_MeX]
[SirCam Version 1.0 Copyright L 2001 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico]
It appears to be that the worm writes these texts many times to fill free disk space.
These strings (as well as most of the other text stings) are encrypted in the worm's body.
Fortunately, there is a mistake in virus code and these routines are not executed in this way. However the first routine (erasing files on Windows drive) is executed in case worm's copies SIRC32.EXE, SCAM32.EXE, RUNDLL32.EXE are renamed to any else name and run.

Check other viruses! Be aware! Use Antiviral Software

Jerk.1077

Description Jerk.1077

It is not a dangerous nonmemory resident parasitic virus. It searches for .COM and .EXE files of a subdirectory tree, and writes itself to the end of the file. It displays the message:
Craig Murphy calls himself SUPERHACKER but he's just a talentless jerk!

The virus also contains the texts:
Murphy
COMMAND.COM
*.COM
*.EXE
Bad command or file name

Jerusalem.a

Description Jerusalem.a

Jerusalem family.
This virus hooks INT 9, 16h, and 21h. Upon a 'warm' reboot (Alt-Ctrl-Del), according to the current time, the virus decrypts (XOR AFh) and displays the following text:
The world will hear from me again!

Depending on the date, it corrects the text entered from a keyboard. If a user types "fu manchu", the virus adds "virus 3/10/88 - latest in the new fun line!". If a user types "thatcher", "reagan", "botha" or "waldheim", the virus adds some rude words: "thatcher is a #@$&*", "reagan is an @$$%$##", "botha is a &%$#@#$%", "waldheim is a $%#@&*". When entering the unflattering words, the virus erases them from the screen.
Jeru.Math
"Jerusalem" family. On Fridays, it also hooks INT 9 (keyboard), and when Alt-Ctrl-Del keys are struck, it runs itself with a video effect. It also contains the text string:
sUMATHS

Jeru.Miky.2350
This is a dangerous virus that hooks INT 8, 16h, and 21h, and infects .COM and .EXE files. It sets the disk label to 'Miky', shifts the screen and displays:
MIKY 786290 B livia

Jeru.Plastique
"Jerusalem" family. These viruses hook INT 8, 9, 13h, and 21h, and erase the contents of the logical drives when file ACAD.EXE is started. Then they play a tune, and slow down the computer (delay loop in INT 8 handler). On the 4000th key entered on a keyboard, the virus erases one randomly selected sector on the current disk.
These viruses contain the encrypted strings:
ACAD.EXECOMMAND.COM.COM.EXE
Program: Plastique 4.51 (plastic bomb), Copyright (C) 1988, 1989 by ABT Group.Thanks to: Mr. Lin (IECS 762??), Mr. Cheng (FCU Inf-Center)
Jeru.Raquel
This is a variant of the "Jeru.Plastique" virus. Depending on its internal counter, it erases the CMOS memory. It contains the encrypted text:
Copyright (C) 1988, 1989 by ABT Group
Virus RAQUEL v.9 (c) IMV Galicia '94

Jeru.Roger
"Jerusalem" family. This is a benign virus. On the 11th and 23th of any month, it hooks INT 13h, and displays the following message:
+------------------------------------+
| ROGER ESPEJO M. |
| Telef. 45-1838 |
| Lima - Per£ |
+------------------------------------+

Taiwan.2576,3088
"Jerusalem" family. "Taiwan.2576" is dangerous - as ACAD.EXE is executed, the virus overwrites this file with the text (see below), and then deletes this file. The text is:
To Whom see this: Shit! As you can see this document, you may know what this program is. But I must tell you: DO NOT TRY to WRITE ANY ANTI-PROGRAM to THIS VIRUS.This is a test-program, the real dangerous code will implement on November. I use MASM to generate varius virus easily and you must use DEBUG aginst my virus hardly, that is foolish. Save your time until next month. OK? Your Sincerely, ABT Group., Oct 13th, 1989 at FCU.
This virus also contains the text "ACAD.EXECOMMAND.COM", and plays a tune.
"Taiwan.3088 and 3454" contain the text:
To Whom see this: Shit! As you can see this document, you may know what this program is. But I must tell you: DO NOT TRY to WRITE ANY VACCINE against THIS VIRUS.This is a test-program, the real dangerous code (combines Disk Killer & Dark Friday) will be implemented before long.I use MASM to generate various virus easily and it is vain to DEBUG my virus, it is a fool to do that. You(S.I.R) will try to challenge to me?, you are stupid to do this.Your Sincerely, ABT Group., Lee. S.W. Oct 13th, 1989 at FCU. PS: 1. To FCU Info-Center, Please update new carbon ink belt. 2. Fuck you Mechanic Eng., do not speak so loudly in the Computer Lab. 3. Confound you, Mr.President, I wish you go to Hell ! ============= , and anotherall Endanger declaraction : This is a hacker who want to rule the computer technology as the Golden game rule, namely, everyone who frunk me is a "son of bitch". How can teacher do such crue thing as to hurt a timid soul and taking this as funny play-game.
Taiwan.2900
"Jerusalem" family. It hooks INT 8,9,13h,16h, and 21h, and infects files that are executed or opened.
When the ACAD.EXE file is executed, the virus erases information on all available disks. Approximately once a month, after about 10 hours of uninterrupted operation, the virus plays a rather a dull tune. If at this time one presses Alt-Ctrl-Del, then the same effect as upon executing ACAD.EXE occurrs.
The virus contains the encrypted strings:
ACAD.EXE
COMMAND.COM.COM.EXE
Copyright (C) 1988, 1989 by ABT Group

Tobacco.2900
"Jerusalem" family. It hooks INT 8,9,13h,16h, and 21h, and runs itself in the same way as "Taiwan.2900". This virus contains the strings:
ACAD.EXE COMMAND.COM.COM.EXE Copyright (C) 1988, 1989 by ABT Group
Tobacco v2
AntiDacha. We don't want gypsies in our world. We don't want DACHAs.
1991 2nd Tabacalera gana siempre. Tobacco Ver. 2.0

"Jerusalem.Tobacco.c" contains the strings:
Virus RAQUEL vK&S (c) IMV Galicia '95.
Exercito Guerrilheiro forever Id Software are the Best.
Buy DOOM2:Hell on Earth.
Take my Tobacco box! CLRG loves danger. 3rd

Totoro.1536
"Jerusalem" family. On Saturday, it hooks INT 8 (timer), and sometimes displays the message:
+----------------------+
| Totoro Dragon |
|Hello! I am TOTORO CAT|
| Written by Y.T.J.C.T |
| in Ping Tung. TAIWAN |
| Don't Worry,be Happy |
+----------------------+

Home