CERT Advisory CA-2001-22 W32/Sircam Malicious Code
Systems Affected: * Microsoft Windows (all versions)
Overview
"W32/Sircam" is malicious code that spreads through email and potentially through unprotected network shares. Once the malicious code has been executed on a system, it may reveal or delete sensitive information.
I. Description
W32/Sircam can infect a machine in one of two ways:
* When executed by opening an email attachment containing the malicious code
* By copying itself into unprotected network shares
Propagation Via Email
<snipped - already posted to this forum>
When the attachment is opened, the copied file is extracted to both the %TEMP% folder (usually C:\WINDOWS\TEMP) and the Recycled folder on the affected system. The original file is then opened using the appropriate default viewer while the infection process continues in the background.
W32/Sircam includes its own SMTP client capabilities, which it uses to propagate via email. It determines its recipient list by recursively searching for email addresses contained in all *.wab (Windows Address Book) files in the %SYSTEM% folder. Additionally, it searches the folders referred to by
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop
for files containing email addresses. All addresses found are stored in SC??.DLL or S??.DLL files hidden in the %SYSTEM% folder.
W32/Sircam first attempts to send messages using the default email settings for the current user. If the default settings are not present, it appears to use one of the following SMTP relays:
* prodigy.net.mx
* NetBIOS name for 'MAIL'
* mail.<defaultdomain> (e.g., mail.example.org)
* dobleclick.com.mx
* enlace.net
* goeke.net
Propagation Via Network Shares
In addition to email-based propagation, analysis by anti-virus vendors suggests that W32/Sircam can spread through unprotected network shares. Unlike the email propagation method, which requires a user to open an attachment to infect the machine, propagation of W32/Sircam
via network shares requires no human intervention.
If W32/Sircam detects Windows networking shares with write access, it
1. copies itself to \\[share]\Recycled\SirC32.EXE
2. appends "@ win\Recycled\SirC32.exe" to AUTOEXEC.BAT
If the share contains a Windows folder, it also
3. copies \\[share]\Windows\rundll32.exe to
\\[share]\Windows\run32.exe
4. copies itself to \\[share]\Windows\rundll32.exe
5. when virus is executed from rundll32.exe, it calls run32.exe
Infection process
1. When installed on a victim machine, W32/Sircam installs a copy of itself in two hidden files:
+ %SYSTEM%\SCam32.exe
+ Recycled\SirC32.exe
Installing in Recycled may hide it from anti-virus software since some do not check this folder by default. Based on external analyses, there is also a probability that W32/Sircam will copy itself to the %SYSTEM% folder as ScMx32.exe. In that case, another copy is created in the folder referred to by
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup (the current user's personal startup folder). The copy created in that location is named Microsoft Internet Office.exe. When the affected user next logs in, this copy of W32/Sircam will be started automatically.
2. The registry entry
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Driver32 is set to %SYSTEM%\SCam32.exe so that W32/Sircam will run automatically at system startup.
3. The registry entry HKEY_CLASSES_ROOT\exefile\shell\open\command is set to "C:\Recycled\SirC32.exe" "%1" %*", causing W32/Sircam to execute whenever another executable is run.
4. A new registry entry, HKEY_LOCAL_MACHINE\Software\SirCam, is created to store data required by W32/Sircam during execution.
5. W32/Sircam searches for filenames with .DOC, .XLS, .ZIP extensions in the folders referred to by
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop
While the personal folder may vary with configuration, it is often set to \My Documents or Windows\Profiles\%username%\Personal. A list of these files is stored in %SYSTEM%\scd.dll.
6. W32/Sircam attaches its own binary to selected files it finds and stores the combined file in the Recycled folder.
II. Impact
W32/Sircam can have a direct impact on both the computer which was infected as well as those with which it communicates over email.
* Breaches of confidentiality: The malicious code will at a minimum search through select folders and mail potentially sensitive files. This form of attack is extremely serious since it is one from which it is impossible to recover. Once a file has been publicly distributed, any potentially sensitive information in it cannot be retracted.
* Limit Availibility (Denial of Service)
+ Fill entire hard drive: Based on external analyses, on any
given day, there is a probability that it will create a file
named C:\Recycled\sircam.sys which consumes all free space on the C: drive. A full disk will prevent users from saving
files to that drive, and in certain configurations impede
system-level tasks (e.g., swapping, printing).
+ Propagation via mass emailing: W32/Sircam will attempt to
propagate by sending itself through email to addresses
obtained as described above. This propagation can lead to
congestion in mail servers that may prevent them from
functioning as expected.
NOTE: Since W32/Sircam uses native SMTP routines connecting
to pre-defined mail servers, propagation is independent of
the mail client software used.
* Loss of Integrity: Published reports indicate that on October 16 there is a reasonable probability that W32/Sircam will attempt to recursively delete all files from the drive on which Windows is installed (typically C).
III. Solution
<snipped: run AV, exercise caution w/attachments, etc.>
The effects of this class of malicious code are activated only when the file in question is executed.
Systems Affected: * Microsoft Windows (all versions)
Overview
"W32/Sircam" is malicious code that spreads through email and potentially through unprotected network shares. Once the malicious code has been executed on a system, it may reveal or delete sensitive information.
I. Description
W32/Sircam can infect a machine in one of two ways:
* When executed by opening an email attachment containing the malicious code
* By copying itself into unprotected network shares
Propagation Via Email
<snipped - already posted to this forum>
When the attachment is opened, the copied file is extracted to both the %TEMP% folder (usually C:\WINDOWS\TEMP) and the Recycled folder on the affected system. The original file is then opened using the appropriate default viewer while the infection process continues in the background.
W32/Sircam includes its own SMTP client capabilities, which it uses to propagate via email. It determines its recipient list by recursively searching for email addresses contained in all *.wab (Windows Address Book) files in the %SYSTEM% folder. Additionally, it searches the folders referred to by
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop
for files containing email addresses. All addresses found are stored in SC??.DLL or S??.DLL files hidden in the %SYSTEM% folder.
W32/Sircam first attempts to send messages using the default email settings for the current user. If the default settings are not present, it appears to use one of the following SMTP relays:
* prodigy.net.mx
* NetBIOS name for 'MAIL'
* mail.<defaultdomain> (e.g., mail.example.org)
* dobleclick.com.mx
* enlace.net
* goeke.net
Propagation Via Network Shares
In addition to email-based propagation, analysis by anti-virus vendors suggests that W32/Sircam can spread through unprotected network shares. Unlike the email propagation method, which requires a user to open an attachment to infect the machine, propagation of W32/Sircam
via network shares requires no human intervention.
If W32/Sircam detects Windows networking shares with write access, it
1. copies itself to \\[share]\Recycled\SirC32.EXE
2. appends "@ win\Recycled\SirC32.exe" to AUTOEXEC.BAT
If the share contains a Windows folder, it also
3. copies \\[share]\Windows\rundll32.exe to
\\[share]\Windows\run32.exe
4. copies itself to \\[share]\Windows\rundll32.exe
5. when virus is executed from rundll32.exe, it calls run32.exe
Infection process
1. When installed on a victim machine, W32/Sircam installs a copy of itself in two hidden files:
+ %SYSTEM%\SCam32.exe
+ Recycled\SirC32.exe
Installing in Recycled may hide it from anti-virus software since some do not check this folder by default. Based on external analyses, there is also a probability that W32/Sircam will copy itself to the %SYSTEM% folder as ScMx32.exe. In that case, another copy is created in the folder referred to by
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup (the current user's personal startup folder). The copy created in that location is named Microsoft Internet Office.exe. When the affected user next logs in, this copy of W32/Sircam will be started automatically.
2. The registry entry
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Driver32 is set to %SYSTEM%\SCam32.exe so that W32/Sircam will run automatically at system startup.
3. The registry entry HKEY_CLASSES_ROOT\exefile\shell\open\command is set to "C:\Recycled\SirC32.exe" "%1" %*", causing W32/Sircam to execute whenever another executable is run.
4. A new registry entry, HKEY_LOCAL_MACHINE\Software\SirCam, is created to store data required by W32/Sircam during execution.
5. W32/Sircam searches for filenames with .DOC, .XLS, .ZIP extensions in the folders referred to by
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop
While the personal folder may vary with configuration, it is often set to \My Documents or Windows\Profiles\%username%\Personal. A list of these files is stored in %SYSTEM%\scd.dll.
6. W32/Sircam attaches its own binary to selected files it finds and stores the combined file in the Recycled folder.
II. Impact
W32/Sircam can have a direct impact on both the computer which was infected as well as those with which it communicates over email.
* Breaches of confidentiality: The malicious code will at a minimum search through select folders and mail potentially sensitive files. This form of attack is extremely serious since it is one from which it is impossible to recover. Once a file has been publicly distributed, any potentially sensitive information in it cannot be retracted.
* Limit Availibility (Denial of Service)
+ Fill entire hard drive: Based on external analyses, on any
given day, there is a probability that it will create a file
named C:\Recycled\sircam.sys which consumes all free space on the C: drive. A full disk will prevent users from saving
files to that drive, and in certain configurations impede
system-level tasks (e.g., swapping, printing).
+ Propagation via mass emailing: W32/Sircam will attempt to
propagate by sending itself through email to addresses
obtained as described above. This propagation can lead to
congestion in mail servers that may prevent them from
functioning as expected.
NOTE: Since W32/Sircam uses native SMTP routines connecting
to pre-defined mail servers, propagation is independent of
the mail client software used.
* Loss of Integrity: Published reports indicate that on October 16 there is a reasonable probability that W32/Sircam will attempt to recursively delete all files from the drive on which Windows is installed (typically C).
III. Solution
<snipped: run AV, exercise caution w/attachments, etc.>
The effects of this class of malicious code are activated only when the file in question is executed.
Facebook
Twitter