Help keep Egypt At The Top

Main Music Movies Live Cafe
Community Travel Services Join Us Contact Us

 

VIRUS ALERT

 
Well, this is not the famous and widely publicized "Code Red Worm", so please read the information below carefully. 
The Egyptian Castle has received thousands of emails from many of our regular viewers around the world with the virus attached to their emails, which indicated to us that the senders were simply unaware that their computer was infected and are unknowingly spreading the virus to everyone on their contact list.  

A description,  how to check if your computer contains the virus and how to remove it, follows courtesy of  http://www.mcafee.com.

 

W32/SirCam
DESCRIPTION - What virus is this?
This is a HIGH RISK virus that is spread to email recipients found in the Windows Address Book and addresses found in cached files. The infected email can come from addresses that you recognize. Attached is a file with two different extensions. The file name itself varies.

The email message can appear as follows:
Subject: [filename (random)]
Body:
Clinic_120x240.gif

Hi! How are you?

I send you this file in order to have your advice
or I hope you can help me with this file that I send
or I hope you like the file that I sendo you
or This is the file with the information that you ask for
See you later. Thanks

--- the same message may be received in Spanish ---

Hola como estas ?
Te mando este archivo para que me des tu punto de vista
or Espero me puedas ayudar con el archivo que te mando
or Espero te guste este archivo que te mando
or Este es el archivo con la información que me pediste
Nos vemos pronto, gracias.

 

PAYLOAD - What can this virus do?
When run, the document will be saved to the C:\RECYCLED folder and then opened while the virus copies itself to C:\RECYCLED\SirC32.exe folder to conceal its presence and creates a registry key value to load itself whenever .EXE files are executed.

The virus searches for .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG, .PS, and .ZIP files in the MY DOCUMENTS folder and attempts to send copies of these documents to email recipients found in the Windows Address Book and addresses found in cached files.

DETECTION AND REMOVAL
- How can I detect and remove this virus?
Scan Your System for Infected Files
  1. McAfee.com VirusScan Online and Clinic users, click here to perform a Scan.
  2. If W32/SirCam@MM is found, use the delete option to remove it.
Manual Removal

If you are unable to use the W32/SirCam@mm standalone removal tool, see: (http://www.mcafeeb2b.com/naicommon/avert/avert-research-center/tools.asp#sircam) SCRMOVE2.zip, then you need to remove the worm manually. Directions follow.

IMPORTANT: Users with 24-hour Internet connectivity and/or those on a network need to disconnect the computer from these sources. Follow the removal procedures for all computers as well as the server. Before reconnecting computers to the network or Internet, shared files and/or drives should be password protected or have sharing disabled altogether. Contact your network administrator for assistance and advice concerning file sharing.

Edit the Registry
  1. Copy Regedit.exe to Regedit.com:
    • Windows 95/98 users: Click Start, point to Programs, and click MS-DOS Prompt.
    • Windows ME users: Click Start, point to Programs, point to Accessories, and then click MS-DOS Prompt.
    • Windows NT/2000 users:
      1. Click Start, and click Run.
      2. Click Browse, and browse to the \Winnt folder.
      3. Double-click the Command.com file, and then click OK.
  2. Type the following and then press Enter:
    • copy regedit.exe regedit.com

 

Virus120x240.gif

Backup the Registry

  1. Click on the Start button.
  2. Click on Run.
  3. Type REGEDIT.com in the Open field.
  4. Click the OK button. The Registry Editor window will appear.
  5. Click on the Registry pull-down menu.
  6. Click on Export Registry File.
  7. In the File Name field type "backup" (without the quotation marks).
  8. In the Save In field be sure that the desktop is selected (if it is not, click on the pull down menu and select "Desktop").
  9. Select "All" in the Export Range group box.
  10. Click on the Save button. The registry will then be saved.
  11. Click the X in the top right corner to close the Registry Editor.
NOTE: You now have a backup of your Registry saved as "backup" on your desktop. If you need to restore the Registry you can double-click on the "backup" file located on the desktop. Once these instructions are complete and everything is running properly be sure to delete this backup file by right-clicking on it then left-clicking on Delete from the pop-up menu that appears. This will ensure that the old registry is not accidentally restored once the worm has been removed.

Remove the Worm Entries from the Registry

As you go through this process, you will be asked to confirm each change. Make sure that the change is correct, then confirm each change.

  1. Click the Start button.
  2. Click on Run.
  3. Type in REGEDIT.com in the Open field.
  4. Click the OK button. The Registry Editor window will appear.
  5. Click on the plus sign next to HKEY_CLASSES_ROOT.
  6. Click on the plus sign next to exefile.
  7. Click on the plus sign next to shell.
  8. Click on the plus sign next to open.
  9. Single-click on command so it is highlighted.
  10. On the right side of the screen is a Name column and a Data column. Locate and right-click on (Default) under the Name column.
  11. A pop-up menu will appear. Left-click on Modify.
  12. The Edit String dialog box will appear with the value highlighted. Delete all text in the Value and type the following characters (WITHOUT THE BRACKETS): ["%1" %*] If you are unsure of how the characters should be, the following is a spelled out version of the correct characters: quote, percentage, one, quote, space, percentage, asterisk.
  13. Click the OK button to close the Edit String dialog box.
  14. On the left side of the screen click on the minus sign next to open.
  15. Click on the minus sign next to shell.
  16. Click on the minus sign next to exefile.
  17. click on the minus sign next to HKEY_CLASSES_ROOT.
  18. Click on the plus sign next to HKEY_LOCAL_MACHINE.
  19. Click on the plus sign next to SOFTWARE.
  20. Single click on the SIRCAM folder so it is highlighted, then hit delete.
  21. Click the plus sign next to Microsoft.
  22. Click the plus sign next to Windows.
  23. Click the plus sign next to CurrentVersion.
  24. Single click on the RunServices Folder so it is highlighted.
  25. On the right side of the screen is a Name column and a Data column. Under the Name column locate and single-click on Driver32 = C:\WINDOWS\SYSTEM\SCam32.exe so it is highlighted.
  26. Press the Delete key on the keyboard to remove the entry.
  27. Close the Registry Editor by clicking the X in the top right corner.
Scan to Remove the Worm :

  1. Connect to the Internet.
  2. Go to http://www.mcafee.com.
  3. Enter your password and email address, and click the Login button.
  4. Near the top-left of the page, locate the "Site Shortcuts" drop-down menu.
  5. Click the drop-down arrow and choose Scan, from under VirusScan Online. A new page will then load.
  6. Click the "Start" link in the box: Current users click here to start.
  7. If you are using this service for the first time you will then see a page with a "Start Download" link. Click on the "Start Download" link to download the necessary components.
  8. In the Scan In box select the drive you would like to scan (C: drive, etc). Then click the Scan button located in the lower right corner.
  9. The program will then scan the selected drive for viruses. If a virus is found a notification will appear in the Scan Results box. Delete infected files if they cannot be cleaned.
Windows ME Info:

NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. If the scan turns up an infected file in the C:\_restore folder follow these instructions to remove the infected files.

Disabling the Restore Utility

  1. Right click the My Computer icon on the Desktop and choose PROPERTIES.
  2. Click on the Performance Tab.
  3. Click on the File System button.
  4. Click on the Troubleshooting Tab.
  5. Put a check mark next to "Disable System Restore".
  6. Click the Apply button.
  7. Click the Close button.
  8. Click the Close button again.
  9. You will be prompted to restart the computer. Click Yes. NOTE: The Restore Utility will now be disabled.
  10. Browse to the C:\_Restore folder and remove the infected files.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active.

Check the Autoexec.bat file:

No reference to the worm may be found here, but it is best to double check.

  1. Click Start, and click Run.
  2. Type the following, and then click OK.
    • sysedit

    The MS-DOS Editor opens.

  3. A screen with 5 windows stacked will open. The first window will be the Autoexec.bat window.
  4. Search for the following line(no quotations): "@win \recycled\sirc32.exe"
  5. Delete only this portion if you find it.
  6. Click File and then click Save.
  7. Exit the MS-DOS Editor
Empty the Recycle Bin:

Do not simply click on "Empty Recycle Bin" as you would normally. You must use Windows Explorer to delete the file C:\Recycled\Sircam.sys if it is present.

 

 

arabtop100.gif (8351 bytes) SHOW THAT YOU CARE
click here to Vote For The Egyptian Castle  .. HELP KEEP EGYPT AT THE TOP

The Egyptian Castle Copyright © Magic Enterprise 1997-2001  
e-mail:Egyptiancastle@egyptiancastle.com
This site is best viewed using ie.gif (7090 bytes)