Date: Wed, 22 Aug 2001 21:02:09 -0500
Reply-To: wilden1@JUNO.COM
Sender: Vanagon Mailing List <vanagon@gerry.vanagon.com>
From: Stan Wilder <wilden1@JUNO.COM>
Subject: Re: a virus warning-had it fixed it!
Content-Type: text/plain
McAfee has a free stand alone program that will remove it, just go there
and download it. It handles all of the required fixes that are listed
below.
Search for SCam. or SirCam it will be about 1.2 meg download.
This virus came attached as a picture file.
Stan Wilder
On Wed, 1 Aug 2001 19:04:23 -0700 "Sean B." <vgonman@EARTHLINK.NET>
writes:
> My company got hit with this bug last week. It was a bitch and a half
> to
> get it removed (I know because I work in the IT dept. and had to
> clean it
> off about 100 machines).
>
> Here is an exerpt from Symantec's site about the removal of the
> virus...
>
> The meat of it is, no matter what removal tool you use, you should
> manually
> do these 3 things...
>
> 1) do a Full system (all files) virus scan on your PC.
> 2) do a search for the file "run32.exe". If you find it, rename it
> to
> "rundll32.exe"
> 3) check the autoexec.bat file and remove any line that reads "@win
> \recycled\sirc32.exe" (I have seen PCs that have had this line
> repeated 87
> times!). MAKE SURE THAT YOU SCROLL DOWN THROUGH THE WHOLE FILE! I've
> seen
> that virus put 2 pages of blank lines, THEN its own line.
>
>
> To edit the registry:
> The worm modifies the registry such that an infected file is
> executed every time that you run a
> .exe file. Follow these instructions to fix this.
>
> Copy Regedit.exe to Regedit.com:
> Because the worm modified the registry so that you cannot run .exe
> files, you must first make a
> copy of the Registry Editor as a file with the .com extension, and
> then run that.
> 1. Do one of the following, depending on which operating
> system you are running:
> Windows 95/98 users: Click Start, point to Programs, and
> click MS-DOS Prompt.
> Windows ME users: Click Start, point to Programs, point
> to Accessories, and then click
> MS-DOS Prompt.
> Windows NT/2000 users:
> 1. Click Start, and click Run.
> 2. Click Browse, and browse to the \Winnt folder.
> 3. Double-click the Command.com file, and then click
> OK.
> 2. Type the following and then press Enter:
>
> copy regedit.exe regedit.com
>
> 3. Type the following and then press Enter:
>
> start regedit.com
> 1. Proceed to the section "To edit the registry and remove keys and
> changes made by the worm" only
> after you have accomplished the previous steps.
>
> NOTE: This will open the Registry Editor in front of the DOS
> window. After you finish editing the
> registry and have closed Registry Editor, close the DOS window.
>
> To edit the registry and remove keys and changes made by the worm:
>
> CAUTION: We strongly recommend that you back up the system registry
> before making any changes.
> Incorrect changes to the registry can result in permanent data loss
> or corrupted files. Please
> make sure you modify only the keys specified in this document. For
> more information about how to
> back up the registry, please read How to back up the Windows
> registry before proceeding with the
> following steps. If you are concerned that you cannot follow these
> steps correctly, then please do
> not proceed. Consult a computer technician for more information.
> 1. Navigate to and select the following key:
>
> HKEY_CLASSES_ROOT\exefile\shell\open\command
>
> CAUTION: The HKEY_CLASSES_ROOT key contains many subkey
> entries that refer to other file
> extensions. One of these file extensions is .exe. Changing
> this extension can prevent any
> files ending with an .exe extension from running. Make sure
> you browse all the way along this
> path until you reach the \command subkey.
> Do not modify the HKEY_CLASSES_ROOT\.exe key.
> Do modify the HKEY_CLASSES_ROOT\exefile\shell\open\command
> subkey that is shown in the
> following figure:
>
>
> (Embedded image moved to file: pic08454.gif)<<=== NOTE: This
> is the key that you need to
> modify.
>
>
> 2. Double-click the (Default) value in the right pane.
> 3. Delete the current value data, and then type: "%1" %* (That
> is, type the following
> characters: quote-percent-one-quote-space-percent-asterisk.)
>
> NOTE: The Registry Editor will automatically enclose the value
> within quotation marks. When
> you click OK, the (Default) value should look exactly like
> this: ""%1" %*"
>
> 4. Make sure you completely delete all value data in the
> command key prior to typing the
> correct data. If a space is left accidentally at the beginning
> of the entry, any attempt to
> run program files will result in the error message, "Windows
> cannot find .exe." or "Cannot
> locate C:\ <path and file name>."
> 5. Navigate to and select the following key:
>
> HKEY_LOCAL_MACHINE\Software\SirCam
>
> CAUTION: Make sure that you go all the way down to the SirCam
> key, and that it is selected.
> It will look similar to the following figure:
>
> (Embedded image moved to file: pic17402.gif)
>
> 6. With the SirCam key selected, press Delete and then click
> Yes to confirm.. This will
> delete the key and all of its subkeys. Since this key was
> created by the worm it can be
> safely deleted.
> 7. Navigate to and select the following key:
>
> HKEY_LOCAL_MACHINE\Software\
> Microsoft\Windows\CurrentVersion\RunServices
>
> 8. In the right pane, look for and select the value
>
> Driver32.
>
> 9. Press Delete, and then click Yes to confirm.
>
> To remove the worm:
> 1. Run LiveUpdate to make sure that you have the most recent
> virus definitions.
> 2. Start Norton AntiVirus (NAV), and run a full system scan,
> making sure that NAV is set to
> scan all files.
> 3. Delete any files detected as W32.Sircam.Worm@mm.
>
> NOTE: If you are using Windows Me, and a copy of the worm is
> detected in the _Restore folder,
> NAV cannot remove it from that folder, as it is protected by
> Windows. See the document Cannot
> repair, quarantine, or delete a virus found in the _RESTORE
> folder.
>
> To empty the Recycle Bin:
> Because of the way that files are placed there in this case, you
> cannot just click Empty Recycle
> Bin as you would with files that are deleted in the normal manner.
> Instead, use Windows Explorer
> to delete the file C:\Recycled\Sircam.sys if it is present.
>
> To edit the Autoexec.bat file:
> 1. Click Start, and click Run.
> 2. Type the following, and then click OK.
>
> edit c:\autoexec.bat
>
> The MS-DOS Editor opens.
>
> 3. Remove the line "@win \recycled\sirc32.exe" if it is
> present.
> 4. Click File and then click Save.
> 5. Exit the MS-DOS Editor
>
> To rename the Run32.exe file:
> If this file exists, it should be renamed back to its original
> name.
>
> NOTE: As an alternative, you can extract the file from the Windows
> installation files. See your
> Windows documentation for information on how to do this.
> 1. Click Start, point to Find or Search, and then click Files
> or Folders.
> 2. Make sure that "Look in" is set to (C:) and that Include
> subfolders is checked.
> 3. In the "Named" or "Search for..." box, type--or copy and
> paste--the following file names:
>
> run32.exe
>
> 4. Click Find Now or Search Now.
> 5. Right-click the Run32.exe file and then click Rename.
> 6. Rename it to:
>
> RUNDLL32.exe
>
> 7. Press Enter.
>
>
>
>
>
> Sean B.
> '90 V'gon, "Happy Bus", pseudo Wolfy
> Torrance, CA
> http://vgonman.vwtrek.com
________________________________________________________________
GET INTERNET ACCESS FROM JUNO!
Juno offers FREE or PREMIUM Internet access for less!
Join Juno today! For your FREE software, visit:
http://dl.www.juno.com/get/tagj.
| 
