/\ _ /\ Hi, How Are You /\ _ /\ A Dangerous Virus! by suprman: 1:47pm On Aug 08, 2008
Pls help o.
My network is infected by what i think is a virus . eachtime i open a window like My Computer and so on what i see is /\ _ /\ Hi, how are you /\ _ /\. and just yesterday one of my systems loose all user files mysteriously. i scan with my bitdefender antivirus but it sees nothing , what can i do? pls help
thnx for ur response
Re: /\ _ /\ Hi, How Are You /\ _ /\ A Dangerous Virus! by uspry1(f): 4:15pm On Aug 08, 2008
Description of SirCam virus(cause, what it look like, how it attack):

I-Worm.Sircam.A is an Internet and network worm similar to I-Worm.Magistr.A. The virus spreads through e-mail using its own SMTP routine, sending itself to addresses from the Address Book and from cache or through the shared directories.

It is transmitted through a message with a randomly chosen subject and body, in the form of a combination between the virus infection routine and a file chosen randomly from My Documents.

The original name of the file is kept, but an executable extension is added (.pif, .exe, .lnk).

Users who do not have the option to see attachment extensions activated, will only see the original extension and can be easily fooled.

The body message is as follows:
Subject: Document file name (without extension)
From: [user_of_infected_machine@prodigy.net.mx]
To: [random@email.from.address.book]

Hi! How are you?
I send you this file in order to have your advice


I hope you can help me with this file that I send
I hope you like the file that I send you
This is the file with the information that you ask for

See you later! Thanks

or, in Spanish:

Subject: Document file name (without extension)
From: [user_of_infected_machine@prodigy.net.mx]
To: [random@email.from.address.book]

Hola como estas ?
Te mando este archivo para que me des tu punto de vista


Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es el archivo con la informacion que me pediste

Nos vemos pronto, gracias.

If the attachment is opened, the worm copies itself in the system directory under the name scam32.exe. It also copies itself into the directory "Recycled" under the name sirc32.exe, which is a hidden file. Then the virus creates the following three keys in the Windows Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services

with the value Driver32 = %System%\scam32.exe to be accessed when Windows starts, and:


with the value C:\Recycled\sirc32.exe "%1" %*" for the routine infection to be executed before any other EXE file.

Therefore, your computer is infected. MY ADVICE TO YOU: never open strange file attachment you never heard. You now learned the lesson!

Removal SirCam virus link for BitDefender software(download removal tool):

