funny, Symantec/Norton is not answering right now, but here a cut-n-paste from AVG about the virusAnother mass mailing worm started to spread. It is a 134kB "whale", written in Delphi.
Judging from encoded texts it comes from Mexico:
[SirCam Version 1.0 Copyright (c) 2001 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico]
The text is even included in following "diet" version:
[SirCam_2rP_Ein_NoC_Rma_CuiTzeO_MicH_MeX]
It sends itself be an email with the subject containing the name of an attached file and the body composed from following sentences:
Hi! How are you? See you later. Thanks I send you this file in order to have your advice I hope you can help me with this file that I send I hope you like the file that I sendo you This is the file with the information that you ask for
If user's preferred language in Windows is Spanish, the worm can adapt itself to the fact:
Hola como estas ? Nos vemos pronto, gracias. Te mando este archivo para que me des tu punto de vista Espero me puedas ayudar con el archivo que te mando Espero te guste este archivo que te mando Este es el archivo con la informacion que me pediste
The attached file is created from the main worm body and a randomly selected file (an archive, a document or an executable) coming from the infected computer. The original name of the file is preserved, the worm justs attaches another extension (pif, lnk, bat and com) to it.
When run, the worm copies itself to various folders under different names:
SirC32.exe, SCam32.exe, SirC32.exe, ScMx32.exe, Microsoft Internet Office.exe and rundll32.exe
Then the worm re-creates the copy of the carrier file and if it is the EXE file it is instantly run. For other file types it tries to locate the corresponding application for opening the file: the WinZip for .zip files, Excel for .xls files and WinWord (or WordPad) for .doc files.
The worm tries to ensure being regularly run by creating a Value 'Driver32' in the registry key
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
and by a modification of the key
HKCR\exefile\shell\open\command (the same trick as I-Worm/PrettyPark).
As the majority of new viruses, this one can spread itself to shared folders on the local network. It prefers the folders \recycled and \windows on network-mapped disks and secures its re-run by writing a line @win with link to the virus file to the file \autoexec.bat or by replacing system file rundll32.exe with its own copy.