Peter Ferrie, Péter Ször
Virus Bulletin, September 2001, pp. 8-10
ISSN 0956-9979
September 2001
Although SirCam made a name for itself sending out random files and personal documents from infected PCs, not all of the information that spread with Win32/SirCam was spread by the worm itself. Almost as soon as updated descriptions of SirCam were posted to Web sites, selected texts from these descriptions appeared on other sites, complete with identical spelling errors and inaccuracies.
Evidently the emerging complexity of new 32-bit worms is proving a tough challenge for every one of us in this business: if ExploreZip was boring and difficult to analyse, SirCam was a major pain. SirCam's author tried to make sure that the analysis would not be straightforward. The worm is written in a high-level language, but all the string constants (including its email message) are encrypted in such a way that it took a little while to decrypt completely (at least for some of us).
Win32/SirCam usually arrives as an attachment to an email. This attachment is special, because it contains not only SirCam itself, but an additional file (attached to the end of SirCam), which has been 'stolen' from the Personal or Desktop directory of the sender's computer.
When this attachment is run, SirCam will detach the stolen file and display it. The way in which the file is displayed depends on its suffix. If the suffix is .doc, SirCam will attempt to run WinWord. If this fails, then WordPad will be used instead. If the suffix is .xls, SirCam will run Excel. If the suffix is .zip, SirCam will run WinZip. If the suffix matches none of these, SirCam will run rundll32. Even in the event that no suitable application can be found to display the file, SirCam will install itself in the system. There is the additional risk that the stolen file might contain confidential information, or even macro viruses, in the case of WinWord and Excel documents, which SirCam will help to spread further.
SirCam begins installation by attempting to copy itself into the Recycle Bin. It is assumed that this is called 'Recycled', and that it is located on the drive that contains Windows (the hard-coded directory name is the one thing that prevents SirCam from functioning correctly in Windows NT/2000/XP, in which the Recycle Bin is named 'Recycler').
Once SirCam has placed itself in the Recycle Bin, where it is hidden from the view of programs such as Explorer, SirCam will copy itself to the System directory, using the name 'SCam32.exe'. A new value, Driver32, is placed in the RunServices key in the registry, which refers to the SCam32.exe file. Thus, the worm will run whenever Windows is booted.
Additionally, SirCam.exe installs itself as the application that handles requests to run other .exe files, by changing the exefile Open key (HKCR\exefile\shell\open\command) in the registry. In this way, SirCam gains control whenever an application is run. This is not a new technique. In fact, the PrettyPark worm was one of the first viruses to utilize this technique, more than two years ago.
Not content with such control, SirCam will also watch for requests to run applications in the Desktop directory (referred to by ...\Explorer\Shell Folders\Desktop in the registry). When such a request is made, SirCam will prepend itself to the specified file, before running the application! Thus, even if the registry is restored and the files are removed from the Recycle Bin, infected files could remain in the Desktop directory.
After installation is complete, SirCam will search the local network for computers which allow unrestricted access. SirCam will copy itself to the Recycled directory on each unprotected computer that is found and append a line to the Autoexec.bat file. The line will run the SirCam file from the Recycle Bin whenever the computer is booted. Then SirCam will rename rundll32.exe to run32.exe in the Windows directory on the remote computer, and create another copy of SirCam in its place. Neither the copying of the SirCam files to remote computers nor the emailing to other users occurs in Windows NT/2000/XP, however each of the other effects can be observed.
The date-activated trigger is checked at this point, however two factors prevent it from working. The least significant of these factors is the dependency on the date format used by the computer, which SirCam requires to be dd/mm/yy (as opposed to mm/dd/yy, for example). However, the more significant factor is that the trigger contains a random component, but the random number generator is never initialized, resulting in there being no chance of producing the required condition.
Unfortunately, there are two other ways in which the payload can be activated. One is by renaming one of the three files, SirC32.exe, SCam32.exe, or rundll32.exe, to another name and running that file. The other is to run an attachment whose stolen file contains the characters 'FA2' not followed immediately by the characters 'sc'. The payload deletes all files in all directories on the drive that contains Windows.
The missing randomiser initialization prevents SirCam from copying itself to the Windows directory as ScMx32.exe, and copying itself to the Startup directory (referred to by ...\Explorer\Shell Folders\Startup in the registry) as Microsoft Internet Office.exe. It also prevents SirCam from creating, on October 16, a file that fills the remaining disk space.
When SirCam is run for the first time, it will change Internet Explorer's Download directory (referred to by HKCU\Software\Microsoft\Internet Explorer\Download Directory in the registry) to point to the Desktop directory, in order to maximize the use of the prepending routine mentioned earlier.
During the second execution, SirCam will gather email addresses into files stored in the System directory. SirCam searches for email addresses in Internet Explorer's Cache directory (referred to by HKCU\Software\Microsoft\WindowsCurrentVersion\Explorer\Shell Folders\Cache in the registry), the user's Personal directory (referred to by HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal in the registry), and the directory that contains the Windows Address Books (referred to by HKCU\Software\Microsoft\WAB\WAB4\Wab File Name in the registry), in files whose name begins with 'sho', 'get', or 'hot', or whose suffix is 'htm' or 'wab'.
Thus, SirCam creates a file called scy1.dll, which contains the addresses from %cache%\sho* files, sch1.dll contains the addresses from %cache%\get* and %cache%\hot* files, sci1.dll contains the addresses from %cache%\*.htm files, sct1.dll contains the addresses from %personal%\*.htm files, and scw1.dll contains the addresses found in *.wab files.
If the Address Book registry key is not found, SirCam will search for WAB files in the System directory instead. After creating the lists of email addresses, SirCam will search for fil[Ces to attach to the emails that it will send. The list that is created consists of the name of every .doc, .xls, and .zip file in the user's Personal and Desktop directory and is called scd.dll. An apparent oversight on the part of SirCam's author prevents the inclusion of .exe files in the list.
On the third and subsequent runs, and if an active connection to the Internet exists, SirCam will retrieve the information required to send email using SMTP. Sending mail using SMTP avoids relying on an email program such as Outlook. The SMTP information consists of the current user's email address (HKCU\Software\Microsoft\Internet Account Manager\Default Mail Account\Accounts\SMTP Email Address in the registry), the address of the email server (HKCU\Software\Microsoft\Internet Account Manager\Default Mail Account\Accounts\SMTP Server in the registry) and the user's display name (HKCU\Software \Microsoft\Internet Account Manager\Default Mail Account\Accounts\SMTP Display Name in the registry).
If, for some reason, this information does not exist, SirCam will use prodigy.net.mx as the email server, and the user's logon name as the email address and display name. Then SirCam will attempt to connect to an email server. First, it will try the user's own email server (or prodigy.net.mx). If this fails, SirCam will attempt to connect to the email server of the person who sent the infected email. This is possible because SirCam carries within it the email information of the previously infected person. If this connection fails, then SirCam will attempt to connect to goeke.net, then enlace.net, then doubleclick.com.mx.
If one of the connections to an email server is successful, an email is constructed in the following way: if the language used on the current user's computer is Spanish, SirCam will send email in Spanish, otherwise it will use English.
The email body consists of three lines. The first line of the email body is always 'Hola como estas?' in Spanish, and 'Hi! How are you?' in English; the third line is always 'Nos vemos pronto, gracias.' in Spanish, and 'See you later. Thanks' in English. The second line is chosen from the following list, in Spanish:
and, in English:
However, since the randomiser is not initialized, the choice is reduced to the first line alone, until October 16, or until SirCam has been run at least 8000 times, at which point the last line can be chosen, too.
As long as an active connection to the Internet exists, SirCam will send email to every address in each of the email lists that it created. It will send an email three times to each address in the scw1.dll list, then once each to all the other addresses, in the order: scy1.dll, sch1.dll, shi1.dll, and sht1.dll, before starting again with scw1.dll.
SirCam keeps the current mailing position in the registry, so if the connection is broken and restored later, SirCam can continue to send mail as though it were never interrupted.
Interestingly, SirCam ensures that the current user never receives an email from SirCam. In the case that the recipient is the current user, SirCam will send the mail instead to email address otrorollo@esmas.com.
For each email it sends, SirCam will randomly select a file from the scd.dll list, prepend itself to that file, attach an additional extension, chosen randomly from 'pif', 'lnk', 'bat', or 'com', and send the email. The lack of the randomiser initialisation has no impact on the emailing routine. If an Internet connection exists for long enough, eventually every recipient will receive multiple copies of every file in the list, and among those copies all four of the random extensions will be represented. To avoid overloading email servers, SirCam remains idle for one minute between sending each email.
In some ways, SirCam's success has had much to do with luck: the emails SirCam constructs are unintentionally malformed such that it appears, to some email scanning products, that the mail contains no attachment. This has allowed the worm to slip past some gateway scanners, though this is far from the sole reason for SirCam's widespread distribution.
Evidently SMTP propagation is the hot topic of the year. Even the first Win32 mass-mailer, Parvo (see VB, January 1999) used an SMTP engine. However, most of the worms that have utilized SMTP mailing so far have got a few things wrong. Thanks to the implementation mistakes and bugs, it was a little while before SMTP worms could take their real place. Most of the previous worms have lacked some important detail in their spreading mechanism. For instance, Magistr often sends clean files or files that will not run on the recipients' computers because of some missing DLLs. As VBS creations are controlled with proactive technologies, so virus writers turn their attention to the creation of more dangerous binary worms. One thing is for sure: there is more to come!
W32/SirCam.worm | |
---|---|
Aliases: | W32.Sircam.Worm@mm, Win32/SirCam@mm, Backdoor.SirCam. |
Type: | Win32 SMTP mass-mailer worm, prepender. |
Payload: | Propagates confidential files, attempts to delete all files on disk, attempts to eat up free space on disk. |
Removal: | Fix registry and modified files, delete standalone worm copies, restore infected ones from backups. |