Technical Details

Details:
This worm arrives as an email attachment with two extension names (i.e FNAME.EX1.EX2). FNAME.EX1 is a random file chosen from an infected user's personal folder, referred to in the below entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\
Explorer\Shell Folders, Personal

EX2 can have a .LNK, .EXE, or .PIF filename. The infected email arrives in English or Spanish as follows:

Subject:(name of attached file)
Message Body:
ENGLISH:
Hi! How are you?
I send you this file in order to have your advice
See you later. Thanks

SPANISH:
Hola como estas ? Te mando este archivo para que me des tu punto de vista
Nos vemos pronto, gracias.
Attachment:(FNAME.EX1.EX2)

Line 2 of the message can also be any of the following:

ENGLISH:
I hope you like the file that I sendo you
This is the file with the information that you ask for
I hope you can help me with this file that I send

SPANISH:
Este es el archivo con la informacion que me pediste
Espero te guste este archivo que te mando
Espero me puedas ayudar con el archivo que te mando

The attachment is a copy of the worm merged with a randomly chosen file from the sender's computer. When opened, it copies the worm to hidden files, SCAM32.EXE in the System directory and SIRC32.EXE in the Recycled folder.

The worm modifies the below to execute at every Windows startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServicesDriver32=“%systemdir%\Scam32.exe”

It modifies the below to execute when an .EXE file is run:

HKCR\exefile\shell\open\command= “”C:\Recycled\SirC32.exe” ”%1” %*”

It also creates the below registry where it stores its data:

HKLM\Software\SirCam

To hide its malicious activities, it extracts the appended host file to the Temp and Recycled folders, then opens it with the default application it is associated with (.DOC with MS Word or Wordpad, .XLS with MS Excel, .ZIP with WinZip). The Temp folder varies depending on a computer’s setting. Infected users may use the “set” command in the command prompt to check this folder's actual path.

The worm then searches for files containing email addresses such as .WAB (Windows Address Book) and .HTM, and sends emails to the addresses. The host file appended at the end of the worm may contain a .DOC, .XLS, or .ZIP file that is taken from a folder specified in the below entry:

HKCU\Software\Microsoft\Windows\
CurrentVersion\Explorer\Shell Folders, Personal

It saves the path and filename of host files to the SCD.DLL file and the email addresses it gathered to SC??.DLL files (i.e SCI1.DLL and SCW1.DLL), all hidden and saved in the Systemdir (C:\Windows\System) directory.

The worm file stores in the registry the number of email addresses gathered.

To propagate, it tries to connect to the server that sent an infected email. If it fails, it tries to connect to three other email servers whose addresses are stored within the worm body and are random in nature. Upon connection, it uses a stored list of SMTP commands to create and send mail over the Internet.

To infect via shared drives, it lists all existing connections. If it finds a folder with write access, it searches for and copies itself to SIRC32.EXE in the Recycled folder. If it finds an AUTOEXEC.BAT file in the folder, it opens this and appends:
@win\recyled\sirc32.exe.

It searches the shared folder for a Windows directory, then copies RUNDLL32.EXE to RUN32.EXE and itself to RUNDLL32.EXE.

When a computer is infected via the network, it activates only upon reboot. NT-based OS are safe from this type of attack.

Occasionally, it copies itself to files other than SIRC32.EXE, SCAM32.EXE, or RUNDLL32.EXE. When executed, it deletes all files and folders in the system. Not all files in the default Windows folder are erased since some may currently be in use.