Hi! How are you?
I send you this file in order to have your advice
See you later. Thanks
The middle is chosen from the following list. However, due to a bug in the worm's random number checking, the first line is always used:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I sendo you
This is the file with the information that you ask for
The attachment name is variable, but will have a double extension, for example "SCRIPT.DOC.PIF". The actual extension may be "PIF", "LNK", "BAT", "EXE" or "COM". The subject of the message matches the attachment name, except without the extensions. In the above example the subject would be "SCRIPT".
When run, the worm copies itself to "C:RECYCLEDSirC32.exe" as well as "SCam32.exe" in the Windows System directory. It modifies two registry keys:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesDriver32="
HKEY_CLASSES_ROOTexefileshellopencommand=""C:recycledSirC32.exe" "%1" %*"
The first key causes the worm to run when Windows starts. The second causes the worm to be run whenever any .EXE program is executed. The worm gets a list of .DOC, .XLS and .ZIP files in the "My Documents" folder. It appends one of these files to the end of itself and saves the result to the Recycled folder, adding the second extension to the filename as listed previously. This file is attached to the emails that the worm sends.
The worm may make several copies of itself with different DOC, XLS or ZIP files attached, depending upon what it finds in the "My Documents" folder. It continually sends these copies out to addresses it finds in the Windows address book and Internet cache files, and may send multiple copies to the same address.
The worm also spreads using Windows shared drives. If it finds a share with a "RECYCLED" directory it copies itself into that directory with the name "SirC32.exe". If it finds an "AUTOEXEC.BAT" file on the share it adds the following line to it:
@win recycledSirC32.exe
Finally, it looks for "windowsrundll32.EXE" on the share and replaces it with the worm, renaming the original to "run32.exe". When the worm is executed from "rundll32.exe" it automatically executes the backup file "run32.exe".
The worm contains two payloads. One deletes all files and subdirectories on the hard drive which Windows is installed on (usually C:). The other writes a file called "SirCam.Sys" to the "Recycled" directory. Neither of these payloads are activated under normal circumstances due to the bug in the worm's random number checking. However, they may be activated if one of the worm's files is renamed or modified before being run.
Above information is taken from Computer Associates.
