Just wondering if anyone has had any success in splitting the virus and the file that is sent as part of the SirCam worm, or knows of any pointers to sites that can help?
I keep getting these and some of the filenames are very intriguing!
Printable View
Just wondering if anyone has had any success in splitting the virus and the file that is sent as part of the SirCam worm, or knows of any pointers to sites that can help?
I keep getting these and some of the filenames are very intriguing!
I sincerely doubt any of the files are real.
They are designed especially to intrigue a large number of the people they are sent to.
I've had quite a few come in and they all have different file sizes, so it's definitely not a "standard" attachment.
I've opened some up in a hex editor and had a look through and they do indeed appear to be valid files of type attached.
Also, if you look at the info for the virus, it opens the file using the associated program when it infects your machine.
I may have a further delve into it and write a cleaning tool to retrieve the files, but wanted to know if anyone had beaten me to it first!
Those files are all definately real. The virus randomly selects a file from your "My Documents" folder and sends it as an infected attachment. It can be word files, JPEG files, excel files, etc. I think it does this to create some extra havoc, as well as add some credibility I guess. The virus hasn't gotten through our exchange servers at work, so I haven't had a chance to play aorund with the attachments. I may try it later today when I get home.
The file is one large attachment, which is obviously the virus loaded header and the file itself all in one.
It's a case of seperating the virus from the file itself.
You could always set up a quarentined machine, download the attachments to the machine, then disconnect it from the network. I've done this before, just to check viruses out, etc. I don't know if you'd have the resources for that or not. Other than that, you may able to get a virus scanner that can disenfect, instead of delete the file. Any other method is beyond my abilities.
Ok, here's how to remove the file from the virus:
Use a HexEditor and step 512*268 bytes into the file (137216 bytes in total) and chop off this block. The remaining data is the file.
Worked on a .DOC file it sent me <IMG SRC="smilies/biggrin.gif" border="0">
Well done antonye. I think I'll check that out if I see any juicy attachments waiting for me <IMG SRC="smilies/biggrin.gif" border="0">
I had another one tonight... nice Word DOC all the was from the UAE about a church meeting!
Anyway, I noticed that the virus itself is 512*268 bytes, but it may then pad with what appears to be a random amount of zero characters.
If you open the file up in the hex editor, skip to the 512*268 address, keep chopping until you hit the first non-zero byte. You should easily be able to spot it - Word DOCs start with D0C!!