EMAIL VIRUS alert

The email attachment has put a file named "SirC32.exe" into my c:\recycled folder. It keeps trying to access the internet whenever i'm connected.....i have a firewall, that's how I know!

If I look at the directory from explorer it says that it's empty?...if I look at the directory from dos it says it's empty?....if i look at the directory from my virus checker i can see it but there's no delete function in the program.....if i try to move the file from within dos (even though i can't see it) i get the cannot move - permission denied error...

...can someone tell me how to delete this file?...please

Uh... you do realise that message has "HELLO I AM A VIRUS ARE YOU A SUCKER?" written all over it, right? Shame you got infected, but you're not a newb, Russ, so you should have seen that one coming.

PS: Norton is butt. Try AVP (it seems popular amongst some techies that use virus software).

ess-vid,

Russ must get about 100 e-mails a day asking for his advice. Russ is a good guy in this community and would help anyone here. Can you not expect him to open an e-mail and do what he did?

All it takes is one click on a file... anyone could have done it...

Russ, I got it here from you, my Norton didn't detect it either, i tried to open, because I was familiared with the file's name, but I couldn't open.
Untill now, nothing wrong...let's see later. =/

c:\recycled? How about clearing your trash can then?

I got 4 emails with same msg and one was from Russ.

I did not open the file.

damn this is not funny

Well aware of the circumstances, Buzz. I'm not really -condemning- him for what he did, just pointing out that he really needs to be more observant and/or practice better policies for email handling. For example, any email that I get from an unknown person, or someone known to use html email (evil stuff, that) is checked pure ascii (outlook express users: do this by right clicking the mail, select properties, go to the details tab, and click "Message Source"... you get all of the headers, and the body plus any attachments in pure ascii) before it is opened normally, then if there's any attachments, only those from known sources are checked, and no executable filetypes are checked, regardless of sender. It takes marginally longer, yes, but it's worth the effort to keep one's system clean and stable.

Don't get me wrong, even though I did giggle a bit when I read this (I mean, it -is- pretty much a big red "I AM A VIRUS" sign... the "look it's porn" emails are not the only hallmark of carrier emails, after all), I do feel bad for the guy (I may be an ass, but I'm not a jerk =P )... but he's always struck me as someone at least a little knowledgable in system maintenence, in which case he really should have spotted that.

Well, I can't find any information on this virus whatsoever. Must be brand new?

Anyway, I never run attachments either. I can't afford the 'luxury' of having my production machine infected. I also always scan downloads for viruses, even if they come from known sources.

I think I have helped Trans with his...
I got the email, but have an intelligent Virus proggy which intercepted it and deleted it for me...if anyone wants it...its in my quarantine directory...

Trans is still having trouble....looks like it is a feisty little critter...

i've deleted the file in question (and the file that seems to respawn it) but now all my .exe want to open with sirc32.exe instead of rundll32.exe (i think that's right, yeah?) and there's no way of changing it (the edit button is greyed out) ???

hmmmmm......why did i look at that email from Russ (i'm REALLY not blaming you russ, it was my own fault!!!!)

...the saga continues

This is why Outlook is dubbed Lookout by most of my friends and we all use better stuff. OKay okay, I'm not helping. Guess the thing to do is boot from your bootflop and sort things out, right?

Russ, what I would like to know is, why was I in your list of contacts? I've never had any contact with you in any shape or form, yet I'm in your e-mail address book! Hmmmmm.........

Boxxi-
I'm getting returns and mail failures from addresses that are not in my address book. This seems to also scan the internet cache looking for email links that have been cached and hits them too.

I received it, but fortunately deleted it without opening the attachment. I guessed that Russ's english could do better than "I send you this file in order to have your advice".

Russ, and eveybody, Norton detects it, but make sure you have just updated your file definitions. Norton tells me it's the W32.Sircam.Worm@mm virus.
Read what Norton says about it: http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html

The name of the virus was interpreted as an email address by the script in the messageboard...
OK the name of the virus is W32.Sircam.Worm @ mm (without the spaces.)

Heck and the link too isn't right... Here it is again:
http://www.symantec.com/avcenter/venc/data/w32.sircam.worm @ mm.html (without the spaces before and after the at sign)

Grrrr!! Here it is again without the http stuff:
www.symantec.com/avcenter/venc/data/w32.sircam.worm @ mm.html (again, remove the spaces before and after the at sign)

OK, Paxx...I'm off to check that out....I'm still trying to help Trans....he's in a bit of a mess....my virus proggy doesn't care what the virus is, and doesn't know....just reacts to the threat and kills it....no signature is needed, just the 'activity'....clever but ignorant at the same time, so, although it can catch it, it hasn't a clue what it is....

Well..that explains it...it's a bloody brand-new one....I think it's fair to say that anyone could have been caught by this....it ain't 24 hrs old....

the virus has respawned....of course....if you run regedit.exe, then do a search for "sirc32" you should know if you have it or not!

...all that has happened for me is that every time i open an .exe file (eg- a program) it tries to access the internet???....i should add that this only happens when you are connected to the net.

I have blocked it's access to the net from here, so hopefully when more information is known about this i'll be able to get rid of it safely :/

If anyone still has an email with the virus could you please forward it to me. I want to test it against our companies AntiVirus software. I want to see if InoculateIT will catch it. Thanks. Email.

Ooops. That should be themurkworks@yahoo.com.

>I have blocked it's access to the net from here

...what i mean there is i've blocked it with a firewall from (only) my computer


...carry-on ppl