Murkworks...I can send my quarantine file...all you need to do is change the suffix for it to be active, but I won't send an active virus anywhere....just let me know...
Pseudo_ez.zip,com and sunken_hvd.zip.com ...I got two....

Ah fk it....make that 3 versions....just got...35_sevene7.zip.pif ....any more and I'll need a bigger hard drive...

My safe files are named .ndp on the suffix, so all that is needed is to delete that for the .com or .pif to be operative....

Thanks Jafo..!

Anyone checked for info on that major virus site whose name eludes me at the moment (they don't sell software, so I'm not talking about Norton and McAfee or the others)?

Well I did open it up on my home machine.

I got an email from Dangeruss, who is a friend of mine that I correspond with regularly, with an attachment that says "Liquid2" which is a skin he and I collaborated on that recently got 100,000 downloads here. So I thought he was sending me an update on it. I clicked on it.

I heard my hard drive thrashing so I opened up the task list and killed "SirC32.exe" which was using a lot of CPU at the time.

It was right before I went to bed so I turned off my computer. I'm not sure what it did yet (it's my home machine).

And no ess-vid, I don't think it was obvious it was a virus. Getting a skin you worked on with someone in email from them asking an opinion on it is pretty clever.

Anyway, does anyone know specifically what this virus does? I.e. does it delete data or just try to send out email or what? My home machine is off right now and it's behind a firewall anyway but I would still like to know what it does.

From Norton's site:


W32.Sircam.Worm@mm
Discovered on: July 17, 2001
Last Updated on: July 17, 2001 at 10:57:39 PM PST

W32.Sircam.Worm@mm was discovered on July 17, 2001. It contains its own SMTP engine in order to propagate itself simlarly to the W32.Magistr.Worm. SARC has received several submissions of this worm from corporate customers. The worm is still being analyzed more in depth and this page will be updated as new information becomes available. SARC will be posting new virus definitions around 3 AM (Pacific) on July 18th.
The worm will arrive in an email with the following content:
The "Subject" of the email will be random and will be the same as the filename of the attachment in the email.
The "Body" of the message will be semi-random but will alway contain one of the following two types (either English or Spanish) as first sentence of the message and last sentence.

Spanish Version:
TOP LINE: Hola como estas ?
LAST LINE: Nos vemos pronto, gracias.

English Version:
TOP LINE: Hi! How are you?
LAST LINE: See you later. Thanks

In between these two sentences may contain some of the following text.

Spanish Version:
Te mando este archivo para que me des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es el archivo con la informacion que me pediste

English Version:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I send you
This is the file with the information that you ask for

The filenames under which this threat have been submitted so far are:

SirC32.exe
Tech Specs and Financials.doc.com

More information will be posted as soon as it becomes available. Definitions will be available via LiveUpdate later this evening.

Also Known As: W32/SirCam@mm, Backdoor.SirCam

Category: Worm

Virus Definitions: July 17, 2001


Damage:

Payload:
Large scale e-mailing: The worm embed random documents from the infected PC to itself

Releases confidential info: It will export random document with in the body of the worm
Distribution:

Subject of email: Filename of attachment

Is there a way to find out what it sent? I don't have anything particularly confidential on there but still.

I allready recieved 3 of them, all caming from Russ, in each of them, the attached files has different names.

1) Tech13_ns (wich is one of MY files)
2) Liquid 2
3) PDS 00013

Since yesterday I couldn't detect any problem here.

Wow... pretty strange that it's finding files that are common to users... Maybe it's just a coincidence... or maybe it's a virus like we've never seen before...

Finding file names and changing it's own name to camoflauge itself... Sending out it's little destructive children..

pretty intense...

I just got the Spanish version this morning. Good thing I read the threads here although I hadn't seen anything about the Spanish version until this morning.

Of course I never open anything from someone that I don't know but at least I was extra suspicious due to reading this here.

Mine came from a domain CANTV.NET which, oddly enough, shows the REGISTRAR as TUCOWS.COM but shows the registrant as:

CANTV Servicios
Av. Francisco de Miranda, Centro Lido
Torre E, Piso 9, Oficina. 91-E
Caracas, Miranda 1060
VE

Since it was originally registered on 9-28-96 but modified 7-18-2001 (yesterday), I have to wonder what's going on here.

Odd thing is there is NO IP address available for this domain!

Good grief! What a day I had yesterday dealing with that virus.

Here's the deal: This virus propagates itself in a very sneaky way. It modifies the registry and attaches itself to any .exe command, so whenever you execute a .exe it runs the virus too. This virus sends mail with a random attachment from any .xls,.exe.zip or .doc file on your HD. It contains it's own STMP protocol, so it acts as it's own mail app. It seeks out your address book AND any cached internet files looking for addresses. This means that if you participate in any forums (Devart - WC - others) it gleans addresses from all the participants on those cached pages that contain those user profiles!!! That's why I was sending messages to parties I had never corressponded with.

This caused me a lot of problems because I'm active in several other forums. In particular, a very popular mountain bike forum where I was just lurking for a while. So the virus sent dozens of mails to the participants of this forum, who thought I was spamming the group. I got home to find that I'd been mail bombed by the members of this forum, and reported to my ISP as a Spammer.

I managed to eliminate the virus from my home PC with the help of Norton Anti Virus and several Registry edits. Visit Nortons page for more details on eliminating this virus if you suspect you have it. The catch is - you have to edit the Registry by renaming regedit.exe to regedit.com, since every .exe respawns the virus. Sneaky bastards.

The really crap part is the payload that is deployed on October 16th. It will likely delete the contents of c:\ or regenerate a text file in the recycle bin until all available disk space is consumed.

http://www.indefense.com/products/maildefense.html

Russ...this is the proggy which I have, which caught/intercepted the virus without my input....it does not need a signature to detect....relying on suspicious activity, rather than a signature. So for it has caught every virus in the wild, macro, worm, and otherwise.

Give it a look, and check out the main Proggy as well...

so for = so far......

Thanks Paul. I'll DL it and give it a whirl.

Damn I got it twice today ! Thanks Russ, I just remembered your post ...

just for information :

first e-mail :

Subject : Lista de precios de extensiones de garantia HP 06-01

Content : Hi! How are you?

I send you this file in order to have your advice

See you later. Thanks

second e-mail :

Subject : zrnic

Content : Hi! How are you?

I send you this file in order to have your advice

See you later. Thanks

The two had attached files in *.zip.pif

Sorry used the search feature so I wouldnt have to make a new thread.

BradW I have been getting emails from you for over a month from your Stardock account. All are these virus emails with stuff like document.zip and passwords etc.. I tried to reply to one of the first ones a month or so ago so you could be alerted to the problem.. but I have recieved many more since then.

Please take me out of your addres book. Thanks.
Glad to see Stardock/WC/GuiOlypics doing so well.
Chad (aka crumbut)

....

sorry to hear you got hit with it Russ and anyone else who happens to have...

....

hey russ good to hear from you again .. even if it's under these circumstances. i hope all is well. dont blame ur self these things are being written to target a more personalized user.these just like spam are being sent with "hey buddy look at this " and other phrases just to see if they can get ya to open it. heck they keep trying with my nick... a good rule to follow anymore is ... if you get sent a e mail with a file you werent expecting..... contact the person who sent it to you, and verify the e mail, before you open it . i learned this the hard way......believe me bro ur not alone ......

You might try McAfee's Stinger, a free stand alone program that deals with several of the most common viruses. It's frequently updated so it may help those who are having problems. Available for download on this page: http://vil.nai.com/vil/stinger/

Crumbut: it may be that someone that had both you and Froggy in their address book was infected. The way these email work it the sender address can be spoofed so it doesn't necessarily mean that the sender address was either the source of the email or infected.

Crumbut: it may be that someone that had both you and Froggy in their address book was infected. The way these email work the sender address can be spoofed so it doesn't necessarily mean that the sender address was either the source of the email or infected.



[Message Edited]

http://securityresponse.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.removal.tool.html

that'll teach me to read the WHOLE thread!

me also

Snowman pointed it out to me in channel, actually slapped me with a smelly trout! meanie