Virus

W32/SirCam@mm

Analysis

  • Viral body is 137,216 bytes and was coded using Delphi
  • Virus has an icon resembling an Internet Explorer document file
  • When executed, this virus writes itself to the local system in the Recycle Bin which is represented by the folder named "Recycled" in the root of drive C: - one major significance of this method is that some Antivirus scanners may avoid scanning the Recycle Bin by default, thus missing the host infection
  • Virus creates copies of itself in these locations, without the appended data file, with a size of 137,216 bytes -

    C:\WINDOWS\SYSTEM\SCam32.exe
    C:\Recycled\SirC32.exe

  • Virus creates additional text files with ".dll" extensions -

    C:\WINDOWS\SYSTEM\scd.dll
    C:\WINDOWS\SYSTEM\sci1.dll

  • Virus modifies the registry to run itself when any EXE file is run on the system -

    HKEY_CLASSES_ROOT\exefile\shell\open\command
    "(Default)" = "C:\recycled\SirC32.exe" "undefined1" undefined*

    * The original data value should be this -

    HKEY_CLASSES_ROOT\exefile\shell\open\command
    "(Default)" = "undefined1" undefined*

  • Virus modifies the registry to load at Windows startup -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\RunServices\
    Driver32 = C:\WINDOWS\SYSTEM\SCam32.exe

  • Virus seeks data files which matche the following extension types:

    .DOC, .GIF, .JPEG, .JPG, .MPEG, .MPG, .PDF, .PNG, .PS, .MOV, .ZIP, .PIF

    and writes the name of files found as text to a hidden file named "scd.dll"

  • Virus scavenges email addresses by searching in files stored on the local machine and writes them as text to a hidden file named "sci1.dll"

  • Virus captures a data file using the list of files from "scd.dll" and appends it to its own binary code to create a new file which is sent to others via email - this new file is a form of polymorphism between samples due to the unknown size of the data file captured on each new host

  • The new file will have a double extension - the original extension plus one of the following - .LNK, .BAT, .EXE, .COM - an example of the double extension might be ".DOC.LNK"

  • Virus will send itself to addresses found on the local system

  • Virus will send an additional email to a single email address on the domain "farmasa.com.br", possibly, as an attack against that person by the virus author in this format - the "To:" part of the email is created to appear as if it was sent to Microsoft however it is not the destination for the email -

    To: inet@microsoft.com
    Subject: (filename prefix without double extension)
    Attachment: double extension file name

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option