SirCam worm slithers through inboxes
When it comes to use of social engineering in malware, the SirCam worm must be among the most insidious. The worm propagated itself in the usual way via email attachment. But SirCam didn’t carry a new email attachment—the typical “invoice” or “delivery confirmation” PDF.
Instead, the worm traveled inside a file from infected user’s own computer. This means that an infected computer might send a user’s entire address book a file that looked legitimate and contained confidential information.
Sircam is particularly menacing because it includes a routine to add a document from the infected computer to the email messages it sends out to new victims. The document added is chosen from one of the documents in the user's 'My Documents' folder; this behavior may result in confidential material being released.
The worm's body is 137216 bytes long but when it comes as an email attachment, it appears larger in size due to the document attached to its body.
Origins of the SirCam worm
SirCam was first identified in the wild on July 17, 2001. Although the subject line and attachment varied as SirCam spread, with the subject line drawn from the selected document, the message inside the carrying email did not. The English version read “Hi! How are you?” and “See you later. Thanks,” while the Spanish version stated, “Hola como estas?” and “Nos vemos pronto, gracias.”
Sircam sends emails with variable user names and subject fields, and attaches user documents with double extensions (such as .doc.pif or .xls.lnk) to them. Messages sent by Sircam look like this:
When a Sircam-infected email attachment is opened it shows the document it picked up from the sender machine's. The file is displayed with the appropriate program according to its extension:
- '.DOC': WinWord.exe or WordPad.exe
- '.XLS': Excel.exe
- '.ZIP': winzip.exe
This effectively disguises the worm's activity. While the user is checking the document the system get infected (as described above).
When the worm runs on a clean system it copies itself to different locations with different names. The worm copies itself as 'SirC32.exe' to \Recycled\ folder. The default EXE file startup Registry key:
is changed to '""[windows_drive]\recycled\SirC32.exe" "%1" %*"'. This is done to activate a worm's copy every time an EXE file is started. Since the recycled folder name is hard coded, the worm does not work on machines with NTFS filesystem. Most Windows NT and 2000 systems are installed on NTFS. The worm copies itself as 'SCam32.exe' in the System directory. The worm then creates a startup key for this file in the Registry to be started during all Windows sessions:
- [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices] "Driver32" = "\SCam32.exe"
The worm copies itself as 'rundll32.exe' file to Windows directory. The original 'rundll32.exe' file is renamed to 'run32.exe'. This copy exists only if a computer got infected through a network share (see below).
Sometimes (once out of 33 cases) the worm places its copy to Windows directory with the 'ScMx32.exe' name. In this case another copy of the worm is created in the current user's personal startup folder as 'Microsoft Internet Office.exe'. This copy will be started when a user who got infected logs into a system.
This worm also uses Windows network shares to spread.
When doing this, it first enumerates all the network shares available to the infected computer. If there there is a writeable \recycled\ folder on a share, a copy of the worm is put to \\[share]\recycled\' folder as 'SirCam32.exe' file.
The virus may be affecting more small and midsize companies than larger companies because they may not have the financial resources to defend against such attacks..
The potential for damage is compounded by the fact that commercial antivirus scanning engines may not always identify the worm as harmful. That means companies need to maintain multilevel lines of defense in corporate networks, including firewalls and multiple antivirus software packages at the gateway, groupware and client.