back to list

watch out for a virus that says need your help, or advice

🔗Lawrence Ball <Lawrenceball@...>

7/25/2001 5:33:50 PM

Dear All
I received a virus yesterday which came as an attachment. Thankfully I did
not open the attachment having read the email below which I enclose for your
attention. I'm not sure if it affects macintoshes as well as windows/PC.
best wishes
Lawrence

PS apologies if you received this twice - I sent it to my entire book to
save time.

----------------------------------------------------------------------------

Message: 17
Date: Wed, 25 Jul 2001 05:58:42 -0000

Subject: Sir Cam Virus....How To Remove....

Haven't the Sir Cam Virus mentionned on the list and since it is
wreaking havoc with a lot of email thought it might be useful for
anyone who doesn't know about it.

It takes the form of an email from a friend that says need your
advice or something on that order...don't open the attachment and
delete immediately.

In case you did open the attachment, here's McCaffe's removal
instructions ( I use Norton Antivirus myself so I haven't checked the
validity of the instructions)

Use specified engine and DAT files for detection and removal.
Windows ME Info:
NOTE: Windows ME utilizes a backup utility that backs up selected
files automatically to the C:\_Restore folder. This means that an
infected file could be stored there as a backup file, and VirusScan
will be unable to delete these files. These instructions explain how
to remove the infected files from the C:\_Restore folder.

Disabling the Restore Utility

1. Right click the My Computer icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse
the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step
5 remove the check mark next to "Disable System Restore". The
infected file's are removed and the System Restore is once again
active.

Registry Entries:
The W32/SirCam@M... virus makes changes to the registry.

HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Driver32=C:\WINDOWS\SYSTEM\SCam32.exe

HKLM\Software\Sircam

In Infected state: HKCR\exefile\shell\open\command
\Default="C:\recycled\SirC32.exe" "%1"%*

In Clean state this should be: HKCR\exefile\shell\open\command
\Default=""%1"%*"

Note that manual modification of registry items is dangerous and
should not be needed at all as VirusScan will clean all the registry
items automatically.

🔗jpehrson@...

7/26/2001 9:27:14 AM

--- In crazy_music@y..., Lawrence Ball <Lawrenceball@p...> wrote:

/crazy_music/topicId_718.html#718

Yes, I received this virus as well. It's large, about 2 megs.
Fortunately, I *never* open attachments from people I don't know, so
I wouldn't have opened it anyway, but happened to be alerted to this
virus through the free service "mcafee dispatch":

http://dispatch.mcafee.com/

_________ _______ _________
Joseph Pehrson