W32/SirCam@mm

description-logoAnalysis

  • Viral body is 137,216 bytes and was coded using Delphi
  • Virus has an icon resembling an Internet Explorer document file
  • When executed, this virus writes itself to the local system in the Recycle Bin which is represented by the folder named "Recycled" in the root of drive C: - one major significance of this method is that some Antivirus scanners may avoid scanning the Recycle Bin by default, thus missing the host infection
  • Virus creates copies of itself in these locations, without the appended data file, with a size of 137,216 bytes -

    C:\WINDOWS\SYSTEM\SCam32.exe
    C:\Recycled\SirC32.exe

  • Virus creates additional text files with ".dll" extensions -

    C:\WINDOWS\SYSTEM\scd.dll
    C:\WINDOWS\SYSTEM\sci1.dll

  • Virus modifies the registry to run itself when any EXE file is run on the system -

    HKEY_CLASSES_ROOT\exefile\shell\open\command
    "(Default)" = "C:\recycled\SirC32.exe" "undefined1" undefined*

    * The original data value should be this -

    HKEY_CLASSES_ROOT\exefile\shell\open\command
    "(Default)" = "undefined1" undefined*

  • Virus modifies the registry to load at Windows startup -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\RunServices\
    Driver32 = C:\WINDOWS\SYSTEM\SCam32.exe

  • Virus seeks data files which matche the following extension types:

    .DOC, .GIF, .JPEG, .JPG, .MPEG, .MPG, .PDF, .PNG, .PS, .MOV, .ZIP, .PIF

    and writes the name of files found as text to a hidden file named "scd.dll"

  • Virus scavenges email addresses by searching in files stored on the local machine and writes them as text to a hidden file named "sci1.dll"

  • Virus captures a data file using the list of files from "scd.dll" and appends it to its own binary code to create a new file which is sent to others via email - this new file is a form of polymorphism between samples due to the unknown size of the data file captured on each new host

  • The new file will have a double extension - the original extension plus one of the following - .LNK, .BAT, .EXE, .COM - an example of the double extension might be ".DOC.LNK"

  • Virus will send itself to addresses found on the local system

  • Virus will send an additional email to a single email address on the domain "farmasa.com.br", possibly, as an attack against that person by the virus author in this format - the "To:" part of the email is created to appear as if it was sent to Microsoft however it is not the destination for the email -

    To: inet@microsoft.com
    Subject: (filename prefix without double extension)
    Attachment: double extension file name

recommended-action-logoRecommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option

Telemetry logoTelemetry

Detection Availability

FortiGate
Extreme
FortiClient
Extended
FortiMail
Extended
FortiSandbox
Extended
FortiWeb
Extended
Web Application Firewall
Extended
FortiIsolator
Extended
FortiDeceptor
Extended
FortiEDR

Version Updates

Date Version Detail
2023-12-27 92.00101
2023-11-29 91.09265
2023-11-11 91.08706
2023-10-16 91.07922
2023-10-15 91.07904
2019-08-13 70.68900 Sig Updated
2019-06-28 69.58000 Sig Added
2018-10-30 63.81200 Sig Updated
2018-10-07 62.75400 Sig Added