URGENT: Worm virus, I may have sent you accidentally PLS READ!!!

[Memnoch]

I apologize for posting this here as it's offtopic, but my computer was infected with the w32.SirCam.worm@mm virus last night and it sent itself to a whole bunch of people. I only found out when I checked my email and found 38 messages from people I didn't know. I did recognize a lot of names from here, but as to how it sent itself to you guys I have no idea as I don't even have most of your email addresses in my address book.

The email account that would have sent this virus was mestacio@bigpond.net.au. PLEASE DELETE ANY FILES THAT YOU MAY HAVE RECEIVED FROM THIS EMAIL ACCOUNT.

Click here for the Symantec fix to this very annoying virus. I have duplicated the removal instructions below.

Once again, I'm very sorry about this.



To remove the worm:
1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
3. Delete any files detected as W32.Sircam.Worm@mm.]

To empty the Recycle Bin:
Right-click on the Recycle Bin and then click Empty Recycle Bin. You can also use Windows Explorer to delete the file C:\recycled\Sircam.sys if it is present.

To edit the Autoexec.bat file:
1. Click Start, and click Run.
2. Type the following, and then click OK.

edit c:\autoexec.bat

The MS-DOS Editor opens.

3. Remove the line "@win \recycled\sirc32.exe" if it is present.
4. Click File and then click Save.
5. Exit the MS-DOS Editor

To edit the registry:
The worm modifies the registry such that an infected file is executed every time that you to run a .exe file. Follow these instructions to fix this.


Copy Regedit.exe to Regedit.com:

1. Do one of the following, depending on which operating system you are running:
Windows 95/98 users: Click Start, point to Programs, and click MS-DOS Prompt.
Windows NT/2000 users:
1. Click Start, and click Run.
2. Click Browse, and browse to the \Winnt\system32 folder.
3. Double-click the Command.com file, and then click OK.
1. Type copy regedit.exe regedit.com and press Enter.
2. Type start regedit.com and press Enter.
3. Proceed to the section "To edit the registry and remove keys and changes made by the worm" only after you have accomplished the previous steps.

NOTE: This will open Registry Editor in front of the DOS window. After you finish editing the registry and have closed Registry Editor, close the DOS window.

To edit the registry and remove keys and changes made by the worm:

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry can result in permanent data loss or corrupted files. Please make sure you modify only the keys specified in this document. For more information about how to back up the registry, please read How to back up the Windows registry before proceeding with the following steps. If you are concerned that you cannot follow these steps correctly, then please do not proceed. Consult a computer technician for more information.

1. Navigate to and select the following key:

HKEY_CLASSES_ROOT\exefile\shell\open\command

CAUTION: The HKEY_CLASSES_ROOT key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with an .exe extension from running. Make sure you browse all the way along this path until you reach the \command subkey.
Do not modify the HKEY_CLASSES_ROOT\.exe key.
Do modify the HKEY_CLASSES_ROOT\exefile\shell\open\command subkey that is shown in the following figure:


<<=== NOTE: This is the key that you need to modify.


2. Double-click the (Default) value in the right pane.
3. Delete the current value data, and then type: "%1" %* (That is, type the following characters: quote-percent-one-quote-space-percent-asterisk.)

NOTE: The Registry Editor will automatically enclose the value within quotation marks. When you click OK, the (Default) value should look exactly like this: ""%1" %*"

4. Make sure you completely delete all value data in the command key prior to typing the correct data. If a space is left accidentally at the beginning of the entry, any attempt to run program files will result in the error message, "Windows cannot find .exe." or "Cannot locate C:\ ."
5. Navigate to and select the following key:

HKEY_LOCAL_MACHINE\Software\SirCam

CAUTION: Make sure that you go all the way down to the SirCam key, and that it is selected. It will look similar to the following:

6. With the SirCam key selected, press Delete. This will delete the key and all of its subkeys. Since this key was created by the worm it can be safely deleted.
7. Navigate to and select the following key:

HKEY_LOCAL_MACHINE\Software\
Microsoft\Windows\CurrentVersion\Run Services

8. In the right pane, look for and select the value

Driver32.

9. Press Delete, and then click Yes to confirm.



------------------

[Xanthul]

You can also go to
www.pandasoftware.com
then in the virus alert list click on "w32/sircam", then on "in-depth information" where youll find what this virus does and a download of a program that will clean it out

PS: Mario can you use MSN ?

------------------
"I wish my Angel was here... I fear nothing with her" -Ertai, Captive of the Blinding Angel

[Cloudbringer]

Hey Mems! Yes, nasty thing, that one....sigh... I opened it at work, not having seen your post or Z's. Not pretty.

Hope you got your system repaired, it does some serious messing up of the registry and files can be deleted.

see Z's thread: http://www.tgeweb.com/cgi-bin/ubb/No...ML/002371.html

Cloudy

------------------


Raindancer of the Laughing Hyenas Clan
Storm-Queen
StormCloud of the Black Knight: Heart Mind Soul Forever
"To sleep, perchance to dream..."

[sylent]

I got that too, but I deleted it, so that is good.

These viruses seem to go around fairly often don't they... after the MSN one that just hit recently, I got an email from both Memnoch and Ertai, with the same message, though I think the one Javi sent me was in Spanish, so I couldn't make much sense of that...

cheers for now

------------------
"Watch your back"

[Waluin]

I got it, but I was able to kill it. Danke!

[adam warlock]

alot of worms going around...


just to add:
I usually use Norton's LiveUpdate about once or twice a week and scan for viruses once a week with Norton.

got hit three times one with a happy99 worm and twice with a kak virus for the past 3 years.... never again...


[This message has been edited by adam warlock (edited 07-22-2001).]

[Larry_OHF]

I don't have the money for a virus scan.
I guess I need to be extra careful.

------------------

Devoted member of the Ironworks
Loyal guardian of the OHF
Member of the Ancients' club
Witness of the 4,000th post by Cloudposter
Currently engaged in the Trials of the Luremaster downloadable expansion set

[sylent]

I don't have a virus scan program either...
I like to live dangerously!

------------------
"Watch your back"

[Memnoch]

Quote:

Originally posted by sylent: I don't have a virus scan program either... I like to live dangerously!

I used to live dangerously...till last Friday.

------------------

[Kormar the Wanderer]

Memnoch, if you get a chance could you get ahold of me over at Mithril Hall? I got to the point of editing the registry and am completely clueless as to what to do after that (and yes I have the instructions printed out, but I'm a technical retard when it comes to computers...) Any help would be appreciated. By the way, how much of a diference would it make if I don't disconnect my modem and allow someone to give me step by step instructions?

------------------
"Beware fool that you put too much stock in the power of the spoken word, lest the unspoken one trample you from behind."
Kormar