Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Chapter 7: Network worms

SirCam Worm coverage comparison

Kaspersky Symantec McAfee F-secure Sophos TrendMicro Central Command

All information below was collected on Sunday, June 22, 2001. The preface was updated later, but AV description were not. This is important to recreate historical truth about the quality of coverage by AV vendors.

***** Symantec misses some facts provided by Kaspersky description (see below), but get most facts rights and also provide an important information that can be found nowhere else. For example Symantec was one of the few AV vendors that provided information about how worm uses registry keys can help to determine the extent of the damage.  Later they even provided a small downloadable free disinfector for home users. The most important omission is that they hide the fact the worm cannot send any e-mail on Win2000 (and Win NT) systems due to a flaw in the code. They also provided information about Scmx32.exe and office.exe  Startup folder:

7. There is a 1 in 33 chance that the following actions will occur:

**** I-Worm.Sircam, virus description [VirusList.com®] It looks like this time Kaspersky provides a quality information, but it misses the content of registry keys. 

*** F-secure info is decent, but lucks both depth and clarity (They improve is as of July 24).

** Sophos article Sircam - are you protected Sophos information is weak

* McAfee.com - W32-SirCam@MM Help Center Initial McAfee coverage was very weak  Later it was substantially improved and as of July 27 is compatative with Symantac and Kasperski. Still the list of documents that the worm send out is wrong. 

- Nikolai Bezroukov


Kaspersky

http://www.viruslist.com/eng/viruslist.asp?id=4225&key=00001000130000100088

This is a dangerous worm that spreads via the Internet and local network. The worm itself is a Windows application written in Delphi about 130K in size. While spreading, the worm may append to its file an additional DOC, XLS, ZIP and other files (see below), so the attached file length can be more than 130K.

Upon being executed (by a clicking on the attached file for instance), it installs itself into the system, then sends infected messages (with its attached copy), infects local network computers (if there are drives shared for full access), and depending on system date, runs its payload routine.

E-mail Spreading

The worm sends itself from infected machines as an attached file with a variable name and double extension:

filename.ext1.ext2

where "ext1" can be one of the following variants: DOC, XLS, ZIP, or EXE.

The worm from the following variants randomly selects the "ext2" extension: PIF, LNK, BAT, COM. For example:

feb01.xls.pif
normas.doc.bat

The "filename.ext1" comes from the original files that are located on an infected machine. The worm looks for a "ext1" file on a machine and obtains its name as an attach name. The worm then obtains the file contents and appends them to itself, and sends the result. So the infected files that are sent out of an infected machine contain two parts: 1: the worm's EXE code; 2: appended extra data that are a randomly selected DOC/XLS/ZIP/EXE file from an infected machine. This appended file is then used by the worm to disguise its activity (see below).

As a side effect such an "appended file" spreading method may cause confidential info disclosure.

The worm message Subject is "filename" as above (exactly the "filename" of the attached file).

The Body can be in two languages: English and Spanish. The first and last lines of the message body are always the same:

first line: Hi! How are you? Hola como estas ?
last line: See you later. Thanks    Nos vemos pronto, gracias.

The variants of text between these lines are:

I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I send to you
This is the file with the information that you ask for

Te mando este archivo para que me des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es el archivo con la informaciСn que me pediste

The worm obtains a victim's e-mail addresses by scanning files that may contain them: SHO*, GET*, HOT*, *.HTM, *WAB, and some others. The result of the search is then stored by the worm in fake DLL files in a system directory:

SCD.DLL file contains list of "ext1" files
SCH1.DLL, SCI1.DLL files contain a list of e-mail addresses located in scanned files.

There can also be SCT1.DLL and SCY1.DLL files found in a system directory, the worm stores additional data there.

Installation to System

The worm copies itself to:

  1. \RECYCLED directory on a Windows drive with the SirC32.exe name, for example:

    C:\WINDOWS\
    C:\RECYCLED\SirC32.exe

  2. Windows system directory with the SCam32.exe name.
  3. Windows directory with the ScMx32.exe name.
  4. Windows start-up directory with the "Microsoft Internet Office.exe" name.

Note that not all these steps are performed by the worm upon the first start-up - some of the files are created there depending on different conditions.

The attributes of all these files are then set to "Hidden".

Two first files then are registered in the system-registry auto-run keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
══Driver32 = %windows system directory%\SCam32.exe

HKCR\exefile\shell\open\command
══SirC32.exe

The worm then extracts an appended "decoy" file (see above) to the Windows TEMP directory, with the "decoy" file having the "filename.ext1" name. The worm then opens this file with WINWORD.EXE or WORDPAD.EXE, EXCEL.EXE, WINZIP.EXE depending on "ext1".

The worm also creates additional registry keys and stores its internal data in here, with the name of the key being HKLM\SOFTWARE\SirCam.

Network Spreading

To spread over a local network, the worm enumerates all network resources (obtains all shared directories on remote machines), and then copies itself to here. If there is a "\recycled" directory in the victim's shared directory, the worm copies itself to this directory with the SirC32.exe name:

\recycled\SirC32.exe

The worm then appends to the end of the AUTOEXEC.BAT file the following command:

@win \recycled\SirC32.exe

If there is a "\Windows" directory, the worm renames the RUNDLL32.EXE file to the RUN32.EXE name, and then overwrites the original RUNDLL32.EXE with its own copy.

The worm then sets hidden attributes to its copies.

Payload

Depending on the system date and time, the worm in one case out of 20, randomly deletes all files in the Windows directory and removes all directories contained here.

Upon each start-up in one case out of 50, the worm randomly creates a SirCam.Sys file in the root of the current drive and writes one of following texts there:

[SirCam_2rP_Ein_NoC_Rma_CuiTzeO_MicH_MeX]
[SirCam Version 1.0 Copyright ╘ 2001 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico]

It appears to be that the worm writes these texts many times to fill free disk space.

These strings (as well as most of the other text stings) are encrypted in the worm's body.


Symantec

SARC Write-up - W32.Sircam.Worm@mm

Removal instructions:

To remove this worm, you must:


See the sections that follow for detailed instructions.

NOTE: If you are on a network, or have a full time connection to the Internet, disconnect the computer from the network and the Internet. Follow the removal procedure on all computers, including the server. Disable or password protect file sharing before reconnecting computers to the network or to the internet.


To remove the worm:


To empty the Recycle Bin:
Right-click on the Recycle Bin and then click Empty Recycle Bin. You can also use Windows Explorer to delete the file C:\recycled\Sircam.sys if it is present.

To edit the Autoexec.bat file:




To edit the registry:
The worm modifies the registry such that an infected file is executed every time that you to run a .exe file. Follow these instructions to fix this.


Copy Regedit.exe to Regedit.com:
 

1. Type copy regedit.exe regedit.com and press Enter.
2. Type start regedit.com and press Enter.
3. Proceed to the section "To edit the registry and remove keys and changes made by the worm" only after you have accomplished the previous steps.

NOTE: This will open Registry Editor in front of the DOS window. After you finish editing the registry and have closed Registry Editor, close the DOS window.

To edit the registry and remove keys and changes made by the worm:

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry can result in permanent data loss or corrupted files. Please make sure you modify only the keys specified in this document. For more information about how to back up the registry, please read How to back up the Windows registry before proceeding with the following steps. If you are concerned that you cannot follow these steps correctly, then please do not proceed. Consult a computer technician for more information.
 


McAffee

McAfee.com - Virus Information Library

Virus Characteristics:
For detection of W32/SirCam@MM, the LNK extension needs to be present on to the extension list or SCAN ALL FILES must be chosen.

This mass-mailing virus attempts to send itself and local documents to all users found in the Windows Address Book and email addresses found in temporary Internet cached files (web browser cache).

It may be received in an email message containing the following information:

Subject: [filename (random)]
Body: Hi! How are you?

I send you this file in order to have your advice
or I hope you can help me with this file that I send
or I hope you like the file that I sendo you
or This is the file with the information that you ask for

See you later. Thanks

--- the same message may be received in Spanish ---

Hola como estas ?

Te mando este archivo para que me des tu punto de vista
or Espero me puedas ayudar con el archivo que te mando
or Espero te guste este archivo que te mando
or Este es el archivo con la información que me pediste

 

Nos vemos pronto, gracias.

--- end message ---

Attached will be a document with a double extension (the filename varies). The first extension will be the file type which was prepended by the virus. When run, the document will be saved to the C:\RECYCLED folder and then opened while the virus copies itself to C:\RECYCLED\SirC32.exe folder to conceal its presence and creates the following registry key value to load itself whenever .EXE files are executed:

HKCR\exefile\shell\open\command
\Default="C:\recycled\SirC32.exe" "%1" %*

As the RECYCLE BIN is often on the exclusion list, check your settings to insure that this directory IS being scanned.

It also copies itself to the WINDOWS SYSTEM directory as SCam32.exe and creates the following registry key value to load itself automatically:

HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Driver32=C:\WINDOWS\SYSTEM\SCam32.exe

A list of .GIF, .JPG, .JPEG, .MPEG, .MOV, .MPG, .PDF, .PNG, .PS, and .ZIP files in the MY DOCUMENTS folder is saved to the file SCD.DLL (the 2nd character of the name appears to be random) in the SYSTEM directory. Email addresses are gathered from the Windows Address Book and temporary Internet cached pages and saved to the file SCD1.DLL (the 2nd and 3rd character of the name appears to be random) in the SYSTEM directory.

The worm prepends a copy of the files that are named in the SCD.DLL file and attaches this copy to the email messages that it sends via a built in SMTP server, using one of the following extensions: .BAT, .COM, .EXE, .LNK, .PIF. This results in attachment names having double-extensions.

The program creates a registry key to store variables for itself (such as a run count, and SMTP information):

HKLM\Software\Sircam

 


Send This Virus Information To A Friend?

Indications Of Infection:
Presence of SCam32.exe in the WINDOWS SYSTEM directory.

Method Of Infection:
This virus sends itself, as an executable, to email recipients found in the Windows Address Book and addresses found in cached files. This executable is appended with a document if one is found in MY DOCUMENTS folder. The mailing routine uses a built in SMTP server and server address found in infected executables. This address is presumably captured from the victim's machine which sent the virus to you. If that server is not in operation, or if relaying is not permitted, the virus attempts to use each of these three servers, stopping when the first successful send occurs.

doubleclick.com.mx
enlace.net
goeke.net

Removal Instructions:
Use specified engine and DAT files for detection and removal.

Windows ME Info:
NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder.

Disabling the Restore Utility

1. Right click the My Computer icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active.

Virus Information:
 

Discovery Date:   7/17/01
Origin:   Unknown
Length:   137,216
Type:   Virus
SubType:   E-mail
Risk Assessment:   Medium

 

F-secure

F-Secure Computer Virus Information Pages Sircam

NAME: Sircam
ALIAS: I-Worm.Sircam, W32.Sircam, W32/SircCam

Sircam is a mass mailing worm about 150 kilobytes in size. When run it copies itself to 'c:\recycled\SirC32.exe' and as 'SCam32.exe' to the windows system directory. The 'SirC32.exe' is registered as default startup command for EXE files so it will run whenever an EXE file is run. The 'SCam32.exe' file is registered as a driver that makes sure it will be started when the system boots up.

The worm collects e-mail addresses from Windows Address Book and Temporary Internet Files to a file called 'scw1.dll' in the system directory.

Another file is then created by the worm. It contains a list of files with certain extensions (e.g. with .DOC, .ZIP, .JPG extensions) located in a user's 'My Documents' folder. Since quite often users keep their personal or company-related documents there, it means that the worm can send out confidential information.

Using its own SMTP engine the worm sends messages the addresses it found. One of the document files is selected from the list and appended to the worm's file. This file will be sent with double extension, for example .DOC.EXE, .ZIP.COM, .JPG.PIF, etc.

When a recipient opens this attachment, his system gets infected and then the included document is displayed. This way the worm's activity is disguised.

Messages sent by the worm look like this (english version):

 


 Subject: Document file name (without extension)
 From: [user_of_infected_machine@prodigy.net.mx]
 To: [random@email.from.address.book]

 Hi! How are you?
 I send you this file in order to have your advice
 See you later! Thanks

If language setting on the infected machine is spanish the worm sends a spanish version of the message:

 Subject: Document file name (without extension)
 From: [user_of_infected_machine@prodigy.net.mx]
 To: [random@email.from.address.book]
 Hola como estas ?

 Te mando este archivo para que me des tu punto de vista
 Nos vemos pronto, gracias.

The second sentence is randomly chosen from four variants.

The attached file has the name of the document the worm picked up from infected computer with double extension, for example filename.DOC.EXE, filename.ZIP.COM, filename.JPG.PIF, etc.

The worm can also spread trough Microsoft Network Shares. It checks all the share available to the infected machine. If there is a '\recycled' directory on the share it tries to infect. First copies itself to '\recycled', and tries to replace '\windows\rundll32.exe' with a copy of itself. The original 'rundll32.exe' is renamed to 'run32.exe'. After that an extra line is added to '\autoexec.bat':

'@win \recycled\SirC32.exe'.

Removal instructions:

If your system is infected with the worm first please download this REG file and install it (by double-clicking on it):

ftp://ftp.europe.f-secure.com/anti-virus/tools/sirc_dis.reg

This will remove the worm's reference from the EXE file startup key in the Registry.

Warning! The system might become unusable if the worm's file is deleted without modifying the EXE file startup key first.

After that the system can be safely disinfected with FSAV. If for some reason the worm's file can't be deleted from Windows (locked file), then you have to exit to pure DOS and delete the worm's file manually or use a DOS-based scanner (F-Prot for DOS for example).

If the workstation was infected trough a network share, the '\windows\run32.exe' file has to be renamed back to '\windows\rundll32.exe' after disinfection. Also the \recycled\SirC32.exe file has to be deleted and extra line in the 'autoexec.bat' should be removed.

[Analysis: Gergely Erdelyi, F-Secure Corp.; July 18th, 2001]


Sophos

Sophos virus analysis W32-Sircam-A

Name: W32/Sircam-A
Aliases: W32.Sircam.Worm@mm, W32/SirCam@mm, Backdoor.SirCam
Type: Win32 worm
Detection: Will be detected by Sophos Anti-Virus September 2001 (3.49) or later. A virus identity (IDE) file is available for earlier versions from the Latest virus identities section.

Sophos has received many reports of this worm from the wild.

Comments: W32/Sircam-A is a network-aware worm. The worm spreads via email and by using open network shares. The worm arrives in an email with a random subject which is identical to the attached filename.

The attached filename is also randomly chosen, but it has a double extension (for instance, .doc.com or .mpg.pif).

If the attachment is opened, the worm copies itself into the Windows System directory with the filename scam32.exe. The worm also copies itself as a file called sirc32.exe to the Recycled files directory with its file attributes set to hidden.

The worm changes the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\Driver32 so that it runs on Windows startup. The registry key HKLM\SOFTWARE\Classes\exefile\shell\open\command is also changed so that the worm runs before any other executable file is opened.

The worm uses the registry key HKLM\Software\SirCam to save data used internally by the worm code.

If the worm finds any open network share, it will attempt to copy itself into the Windows directory on the machine with an open share, with the filename rundll32.exe. The original rundll32.exe file is renamed to run32.exe. If this is successful, the worm changes the file autoexec.bat so that it includes a command to run the worm file previously dropped to the C:\recycled directory.

The worm contains its own SMTP routine which is used to send email messages to email addresses found in the Windows address book and the temporary internet folder, where cached internet files are kept.

Depending on the operating system default language every email message sent by the worm will always contain identical first and last lines.

If the default language is English the first line of the message will be:

"Hi! How are you?"

and the last one will be

"See you later. Thanks".

If the default language is Spanish the first line of the message will be

"Holla como estas ?"

and the last one will be

"Nos vemos pronto, gracias.".

On 16 October there is a 1 in 20 chance that the worm will attempt to delete all files from the hard drive.

Trend Micro

This Trojan propagates via email using SMTP commands. It sends copies of itself to all addresses listed in an infected user's address book. It arrives in an email with a random subject line, and an attachment by the same name. It has no destructive payload.

Solution:
First, restore your system configurations through the registry. To do this:

  1. In the Windows Start Menu, choose Run, type Regedit and then press Enter.
  2. On the left panel, follow the path HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\RunServices.
  3. On the right panel, look for the registry value called Driver32.
  4. Click this and press the Delete key.
  5. On the left panel, follow the path HKEY_LOCAL_MACHINE\Software\SirCam.
  6. Click SirCam and press the Delete key.
  7. On the left panel, follow the path HKEY_CLASSES_ROOT\exefile\shell\open\command
  8. On the right panel, right-click on the (Default) value, then choose Modify.
  9. Change “C:\Recycled\SirC32.exe””%1”%*” to “%1” %*". Remove “C:\Recycled\SirC32.exe”.

It is important that steps 7 to 9 be followed before removing the Trojan file or else no executable file will be able to run. If the Trojan is deleted, REGEDIT is no longer accessible. Please rename regedit.exe to regedit.com then execute regedit. Then just follow the step 1-9.If the Trojan is not yet deleted, you can also use the tool fix_sircam.reg. This will remove the Trojan association from the registry.

Once the association is removed restart your system. Scan your system with Trend Micro antivirus and delete all files detected as TROJ_SIRCAM.A. To do this Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro’s free online virus scanner.

If you need further assistance with this solution, please send an email to virus_doctor@trendmicro.com.

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC.

In the wild: Yes
Trigger condition 1: Upon execution
Payload 1: Creates Files
Detected by pattern file#: 917
Detected by scan engine#:  5.170

Language:

English, Spanish
Platform: Windows
Encrypted: No
Size of virus: 137,216 Bytes

Details:
The worm arrives as an attachment to the following email:

Subject: (random subject line, with the same name as the attachment)
Message body: (The body could be either in Spanish or English)
Hi! How are you?

I send you this file in order to have your advice OR I hope you can help me with this file that I send OR I hope you like the file that I send you OR This is the file with the information that you ask for

See you later. Thanks

Attachment: (random filename, with the same name as the subject line)
IN SPANISH:

Hola como estas ?

Te mando este archivo para que me des tu punto de vista OR Espero me puedas ayudar con el archivo que te mando OR Espero te guste este archivo que te mando OR Este es el archivo con la informacion que me pediste

Nos vemos pronto, gracias.

The attachment contains a copy of the worm merged with a randomly chosen file from the sender's computer.

Upon execution, this worm copies itself to a SCam32.EXE in the System directory. It then splits merged files in the attachment and drops these to a SIRC32.EXE file and a <Original filename of the merged file> in the C:\Recycled folder.

To execute every bootup, it creates the below registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\Driver32 = “C:\Windows\System\Scam32.exe”

It modifies the following registry entry:

HKEY_CLASSES_ROOT\exefile\shell\open\command = “”%1”%*”

to the following, to allow this Trojan to run whenever an .EXE file is executed:

HKEY_CLASSES_ROOT\exefile\shell\open\
command = “”C:\Recycled\SirC32.exe” ”%1”%*”

It also creates the following registry key, where it stores data:

HKEY_LOCAL_MACHINE\Software\SirCam

The below are the data it stores:


Central Command

Manually removing a infection from your computer can put your data at risk for damage that may or may not be recoverable. Central Command strongly recommends that you backup all of your data prior to attempting to remove an infection or repair any damage causes by a infection.


Details:
---------
Name: I-Worm.Sircam.A
Aliases: W32.Sircam.Worm@mm, W32/SirCam@mm
Type: Internet Worm (mass mailer)
Risk: Medium


Description:
--------------
I-Worm.Sircam.A is an Internet worm that is spreading itself through e-mail.

The worm arrives through e-mail in the following format:

Subject: (The subject line will be random)
Body: Hi! How are you?
See you later. Thanks
Attachment: (Same as Subject: line + containing a double extension, ie. COM.EXE)

*Note: It might be possible that it will contain additional text in the body of the message between the two lines listed above

When the user opens the attachment, the worm adds the following keys into the registry:

1.) HKCR\exefile\shell\open\command\Default = "c:\recycled\SirC32.exe" "%1" %*"
2.) HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Driver32 = c:\windows\system\SCam32.exe

The first registry key enables the worm to copy the SirC32.exe file to the folder C:\Recycled\ which allows the worm to run after each *.exe file is executed. The second key stores the filename Scam32.exe into the C:\Windows\System folder, which allows the worm to execute automatically.

I-Worm.Sircam.A also uses its own special SMTP routine to send unsolicited email messages to those addresses obtained from a search within the Windows address book, as well as, from the users Temporary Internet folder.

If the virus happens to find a network shared directories, it will try to copy itself into the local Windows directory under the name rundll32.exe. The original file is renamed as run32.exe. If the worm succeeds, it will modify the autoexec.bat file by introducing a new line which will allow it to execute the file previously saved in the Windows directory.

As a “signature” the author added the following strings in the virus in an encrypted form:
[SirCam_2rP_Ein_NoC_Rma_CuiTzeO_MicH_MeX]
[SirCam Version 1.0 Copyright 2001 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico]


*There is also a duplicate of this worm in the Spanish language.

The body format of the Spanish e-mail message would contain the lines:
Hola coma estas ?
Nos vemos pronto, gracias


Removal Instructions:
---------------------
Step 1.) Delete all files being detected as I-Worm.Sircam.A, make sure that you also empty the Recycling bin as well

Step 2.) Make the needed modifications to the registry. Run the registry editor, this can be done by clicking the Windows Start button and selecting “Run”. Within the pop-up box type in “regedit”

Then, locate and the following keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices and delete the key Driver32 (which contains the value “%windows-system%\Scam32.exe”).

HKEY_CLASSES_ROOT\exefile\shell\open\command\(default)
HKEY_LOCAL_MACHINE \Software\Classes\exefile\shell\open\command\(default)
This key should be changed to the value ""%1"%*"

HKEY_LOCAL_MACHINE \Software\SirCam should be entirely deleted (all values contained within).

You can now close the registry.

Step 3.) Restart your computer.

Step 4.) Go back to the Windows Start button and select “Run”.again. This time type the word “command” and press enter. In the command prompt window type the following lines:

C:\> cd Recycled (hit enter)
C:\>Recycled> attrib –h sirc32.exe (hit enter)
C:\>Recycled> del sirc32.exe (hit enter)
C:\>Recycled> cd .. (hit enter)
C:\> cd Windows (hit enter)
C:\Windows\> attrib –h scam32.exe (hit enter)
C:\Windows\> del scam32.exe (type Exit)

To disinfect a networked computer infection, on the infected machine the file \windows\run32.exe should be renamed over the \windows\rundll32.exe (if they exist). Also, from the file autoexec.bat the following line must be deleted:
@win \Recycled\SirC32.exe and the file \Recycled\SirC32.exe should also be deleted



Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: May 08, 2017