W32/SirCam@mm
Analysis
- Viral body is 137,216 bytes and was coded using
Delphi
- Virus has an icon resembling an Internet Explorer
document file
- When executed, this virus writes itself to the
local system in the Recycle Bin which is represented
by the folder named "Recycled" in the root
of drive C: - one major significance of this method
is that some Antivirus scanners may avoid scanning
the Recycle Bin by default, thus missing the host
infection
- Virus creates copies of itself in these locations,
without the appended data file, with a size of 137,216
bytes -
C:\WINDOWS\SYSTEM\SCam32.exe
C:\Recycled\SirC32.exe -
Virus creates additional text files with ".dll" extensions -
C:\WINDOWS\SYSTEM\scd.dll
C:\WINDOWS\SYSTEM\sci1.dll -
Virus modifies the registry to run itself when any EXE file is run on the system -
HKEY_CLASSES_ROOT\exefile\shell\open\command
"(Default)" = "C:\recycled\SirC32.exe" "undefined1" undefined** The original data value should be this -
HKEY_CLASSES_ROOT\exefile\shell\open\command
"(Default)" = "undefined1" undefined*
- Virus modifies the registry to load at Windows
startup -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\
Driver32 = C:\WINDOWS\SYSTEM\SCam32.exe -
Virus seeks data files which matche the following extension types:
.DOC, .GIF, .JPEG, .JPG, .MPEG, .MPG, .PDF, .PNG, .PS, .MOV, .ZIP, .PIF
and writes the name of files found as text to a hidden file named "scd.dll"
-
Virus scavenges email addresses by searching in files stored on the local machine and writes them as text to a hidden file named "sci1.dll"
-
Virus captures a data file using the list of files from "scd.dll" and appends it to its own binary code to create a new file which is sent to others via email - this new file is a form of polymorphism between samples due to the unknown size of the data file captured on each new host
-
The new file will have a double extension - the original extension plus one of the following - .LNK, .BAT, .EXE, .COM - an example of the double extension might be ".DOC.LNK"
-
Virus will send itself to addresses found on the local system
-
Virus will send an additional email to a single email address on the domain "farmasa.com.br", possibly, as an attack against that person by the virus author in this format - the "To:" part of the email is created to appear as if it was sent to Microsoft however it is not the destination for the email -
To: inet@microsoft.com
Subject: (filename prefix without double extension)
Attachment: double extension file name
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |