W32/SirCam@MM

 

How can I get the SirCam virus on my computer?

 

          SirCam is spread through e-mail attachments.  The virus sends e-mails to everyone in the Windows Address Book, as well as all of the e-mail addresses it finds in downloaded web pages on the hard drive of an infected machine.  This virus attaches an image file or document from the machine’s C:\My Documents folder, and opening this attachment will cause your computer to become infected.  Usually the body of the message will look something like this:

 

Hi! How are you?

 

I send you this file in order to have your advice

 

See you later. Thanks

 

The subject of the message would be the file that is being sent as an attachment.

 

How do I know if my computer is infected with the SirCam virus?

 

          There are several symptoms that would indicate that you have this virus.  The first is that there is a file called Scam32.exe located in the C:\Windows\System directory on your computer.  Another common symptom is that your computer hangs at startup, and you are unable to launch any programs.  In this case, if you press CNTL-ALT-DELETE and enter the Windows Task Manager, there should be a process called SirC32.exe (Not Responding).

 

How can I get rid of SirCam?

 

          Cleaning SirCam off of your computer involves modifying the Windows registry.  Please only attempt this if you are comfortable with working with the registry.  It is also a good idea to backup the registry before making any changes.  For me, getting rid of SirCam comes in three major steps.

 

Step 1: Getting your Windows PC to stop hanging. 

          This can be the most difficult step, and may require much patience.  The best thing I have found is to launch Windows without logging in, and often SirCam won’t hang your PC if you skip the login.  Then you can move on to the second step.  If that doesn’t work, try going into the Windows Task Manager (CNTL-ALT-DELETE), and trying to get the process SirC32 to stop from there.  This could cause your computer to freeze for a while, and has required a lot of patience on my part in the past.  If you take this route, you will then have to go into “My Computer” and change the name of the file C:\Windows\Regedit.exe to C:\Windows\Regedit.com.

 

Step 2:  Editing the Registry.

          Now you must edit the registry, so that SirCam will not execute whenever you run an executable program.  Start out by typing “regedit” in Start -> Run (or “regedit.com”, if you changed the name of the file in the previous step).  You can then backup your existing copy of the registry.  There are three keys that you need to change.

          Key 1:

                    HKEY_CLASSES_ROOT\exefile\shell\open\command

Change the value of default to “%1”%* from

“C:\RECYCLED\SirC32.exe””%1”%*

 

          Key 2:

          HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

          Delete the value “Driver32”

 

          Key 3:

          Delete the key HKLM\Software\Microsoft\SirCam

 

Step 3: Cleaning out the Virus.

          Now you are ready to get SirCam off of your machine.  First reboot your machine, and then log into the SMC network.  Then make sure that you have the latest anti-virus software on your computer.  You can either upgrade your current installation of McAfee VirusScan by running the latest sdat file from P:\Software Distribution, or you can install the latest version of VirusScan by following these instructions.  Then go to Start -> Programs -> Network Associates -> VirusScan, to launch a new scan.  Make sure that VirusScan is set to scan all files on your C:\ drive, and under the “Action” tab, you have selected “Clean infected files automatically”.  Now just let VirusScan run for a while, and your computer should then be cleaned.