|
-
July 25th, 2001, 04:27 AM
#1
 SirCam - Retrieve the Sent File?
Just wondering if anyone has had any success in splitting the virus and the file that is sent as part of the SirCam worm, or knows of any pointers to sites that can help?
I keep getting these and some of the filenames are very intriguing!
-
July 26th, 2001, 05:15 PM
#2
Registered User
I sincerely doubt any of the files are real.
They are designed especially to intrigue a large number of the people they are sent to.
-
July 27th, 2001, 02:02 AM
#3
I've had quite a few come in and they all have different file sizes, so it's definitely not a "standard" attachment.
I've opened some up in a hex editor and had a look through and they do indeed appear to be valid files of type attached.
Also, if you look at the info for the virus, it opens the file using the associated program when it infects your machine.
I may have a further delve into it and write a cleaning tool to retrieve the files, but wanted to know if anyone had beaten me to it first!
I'd rather die peacefully in my sleep like my Grandfather,
than screaming in terror like his passengers. Jim Harkins
<a href="http://www.Horrible.Demon.co.uk/" target="_blank">http://www.Horrible.Demon.co.uk/</a>
-
July 27th, 2001, 06:17 AM
#4
Registered User
Those files are all definately real. The virus randomly selects a file from your "My Documents" folder and sends it as an infected attachment. It can be word files, JPEG files, excel files, etc. I think it does this to create some extra havoc, as well as add some credibility I guess. The virus hasn't gotten through our exchange servers at work, so I haven't had a chance to play aorund with the attachments. I may try it later today when I get home.
-
July 27th, 2001, 07:15 AM
#5
The file is one large attachment, which is obviously the virus loaded header and the file itself all in one.
It's a case of seperating the virus from the file itself.
-
July 27th, 2001, 08:21 AM
#6
Registered User
You could always set up a quarentined machine, download the attachments to the machine, then disconnect it from the network. I've done this before, just to check viruses out, etc. I don't know if you'd have the resources for that or not. Other than that, you may able to get a virus scanner that can disenfect, instead of delete the file. Any other method is beyond my abilities.
-
July 27th, 2001, 02:37 PM
#7
Ok, here's how to remove the file from the virus:
Use a HexEditor and step 512*268 bytes into the file (137216 bytes in total) and chop off this block. The remaining data is the file.
Worked on a .DOC file it sent me <IMG SRC="smilies/biggrin.gif" border="0">
-
July 30th, 2001, 09:24 AM
#8
Registered User
Well done antonye. I think I'll check that out if I see any juicy attachments waiting for me <IMG SRC="smilies/biggrin.gif" border="0">
-
July 30th, 2001, 03:16 PM
#9
I had another one tonight... nice Word DOC all the was from the UAE about a church meeting!
Anyway, I noticed that the virus itself is 512*268 bytes, but it may then pad with what appears to be a random amount of zero characters.
If you open the file up in the hex editor, skip to the 512*268 address, keep chopping until you hit the first non-zero byte. You should easily be able to spot it - Word DOCs start with D0C!!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
Bookmarks