Off Topic: SIRCAM worm removal

[traceyp]

I know that several subscribers to this forum, and particularly Gary, have received several emails containing the SIRCAM worm and I'm wondering how you go about removing it if you catch as soon as its come down and the attachment has not been opened.

Some time ago I received one of these emails (yes Gary, just one) and all I did to get rid of it was to trash the associated email and attachment. I then emptied the Trash can (I use Eudora Pro 5.1) and then to ensure all was gone I empied the Recycle Bin as well. A little after that though my PC became a little unstable and although a scan revealed nothing, I finished up having to reinstall Windows. My question really is this: was that the correct way to remove it as its not as if I had opened anything so it could distribute itself about my PC ready to wreck its havoc.

Tonight a few minutes ago my partner received a SIRCAM email and we followed the same procedure. In fact I must thank Gary for starting the thread several weeks ago about this worm otherwise I would not have known what to look for. My copy of Norton Antivirus (v5.0) didn't catch my email and neither did it catch my partners tonight. I've just been on the Symantec site and downloaded a file containing some updated files (not virus defs but program files) - perhaps upgrading to the latest version may help as well.

Any come back on this would be appreciated.

Thanks

Tracey

[traceyp]

I know that several subscribers to this forum, and particularly Gary, have received several emails containing the SIRCAM worm and I'm wondering how you go about removing it if you catch as soon as its come down and the attachment has not been opened.

Some time ago I received one of these emails (yes Gary, just one) and all I did to get rid of it was to trash the associated email and attachment. I then emptied the Trash can (I use Eudora Pro 5.1) and then to ensure all was gone I empied the Recycle Bin as well. A little after that though my PC became a little unstable and although a scan revealed nothing, I finished up having to reinstall Windows. My question really is this: was that the correct way to remove it as its not as if I had opened anything so it could distribute itself about my PC ready to wreck its havoc.

Tonight a few minutes ago my partner received a SIRCAM email and we followed the same procedure. In fact I must thank Gary for starting the thread several weeks ago about this worm otherwise I would not have known what to look for. My copy of Norton Antivirus (v5.0) didn't catch my email and neither did it catch my partners tonight. I've just been on the Symantec site and downloaded a file containing some updated files (not virus defs but program files) - perhaps upgrading to the latest version may help as well.

Any come back on this would be appreciated.

Thanks

Tracey

[eky]

Tracey,

I use Mcafee antivirus and update their virus definitions monthly. Their website has info on the SIRCAM virus including how to remove it manually if you are confident in editing the Windows registry:


http://vil.mcafee.com/dispVirus.asp?...l_instructions

[Lobo]

I'm sending you via email a tiny file I got from Mcafee. Run it and it'll do the removal business for you


Oh, I see your email add isn't available. Mail me jg26@iname.com if you still need that removal file - it's only 70k

[gwpriester]

How are you? I send you this file to totally messup your system.

See you.

!@#$%^&*()_+!!!

Tracy --

If you have not opened any of the attachments, you should be OK. Does you anti-virus software flag the messages when they arrive in your mailbox? And if so, do you select Delete? It should and you should.

You can go to McAfee's Web Site to find more information for making sure the virus is not on your machine.

I have received some messages with the code following the message which I think might have been a problem had I been using Outlook Express which might have activated the code even though there was no attachment.

I discovered that McAfee VirusScan flags the message and advises to delete the attachment. But it does not delete the message. So I can see who is sending the message and have tried to respond to every message informing the sender of the problem and solution.

I received over 500 messages with virus infected attachments from one person at a ficticious e-mail address. This went on for about two weeks. I am so thankful I downloaded POP 3 Scan Mailbox. It is a life saver. I was able to enter the offending e-mail address and delete all the messages from this person, Jerry Burman (anyone know him?) before downloading my mail.

I complained to Earthlink's tech support who told me to e-mail the header to abuse@earthlink.net. I did, and continued to do so for over 10 days. Every time I sent a message to abuse I received an automated reply. Finally I received a telephone call from the abuse dept (after I spent 30 minutes on the phone with the tech support supervisor) and Jerry Burman and his virus-infested messages are gone (knock wood).

Every time I attempted to e-mail Earthlink's tech support people about the problem, I received a long message telling me what the SIRCAM virus is and how to remove it from my computer.

They don't even read the messages they just fire off a canned reponse that comes closet to what they think the question is.

Would I recommend Earthlink.net to anybody?

Fat chance.

Gary

Gary Priester

Moderator Person

<A HREF="http://home.earthlink.net/~garypriester" TARGET=_blank>
Be it ever so humble...</A>

[Soquili]

One of the people I work with had SirCam infect her PC. Norton Antivirus corporate edition 7.5 (with the most recent update) detected the virus and said it was quarantined. NOT!
Norton only isolated one part of the virus, the portion that installs as a service (SCam32.exe), the other part (SirC32.exe) was not detected at all.

Using McAfee's manual methode I was able to clean the remaining portions of the virus and repair the registry.

BTW for any Outlook users, if you have auto-preview enabled you don't have to open an attachment for it to infect your computer. Auto-preview opens it in the background!

Soquili

[Erik Heyninck]

I recently read this trick:

You know that the virus spreads by using your adress book (in Outlook/-Express).

If you add a new entry that you name !00000 and you don't give it an e-mail, it'll place itself on top of your book. A virus will meet this one first and you will get a warning from Outlook that it is unable to send your mail because there is no adress. And so you know when Outlook tries to mail behind your back.

This does not remove the virus but at least you know when something odd is happening.

I had McAfee, and one out of three times my whole system crashed when installing the files- or version updates.

[eky]

I also used to have my system freeze or lock up while updating the McAfee virus dat files. I have an older version and should download the SuperDat file instead of the regular DAT files. That stopped the crash/freeze problems. I don't know if that applies to you, but if your version is 4.1.20 or lower SuperDat updates should not give you those problems.

[traceyp]

Hi

I'd like to thank everybody for your replies. I've now done some further checks on my partners PC and I think we're OK. I was worried that perhaps just deleting the file may NOT have been all that was necessary but it looks like that is all providing you DON'T open the infected file beforehand otherwise you'll have problems - and we didn't in either case. This really is a salutary lesson in keeping your virus defs up-to-date and the number of people out there who THINK they are safe with the original defs are very much at risk of infecting other people. Anyway we're clear now and I'd just like to say thanks to all those who responded to my message.

Tracey