Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement

 


SCAM32.EXE PROCESS INFORMATION

Process Name  : Scam32.exe

Process Path : %WINDOWS%\Scam32.exe [ C:\Windows\Scam32.exe ]

Process type    : Internet Worm

Malware Name : W32.SirCam.Worm@mm

Alias             : I-Worm.SirCam, W32.SirCam-A, WORM_SIRCAM.A

Threat level : Low

Process Details :

                     Scam32.exe is the main component dropped by W32.SirCam.Worm@mm.It is a mass mailing worm uses e-mail addresses stored in Windows Address book and also collects addresses from temporary Internet folder to distribute infected messages. SirCam is also network aware worm. It searches for network shares and infects them too. SirCam worm is also known as I-Worm.SirCam, W32.SirCam.Worm, W32.SirCam or WORM_SIRCAM.A.

                     SirCam arrives as an e-mail attachment, message subject and body varies randomly. The message body first and last line will be the same. The worm will contain two extensions, first will be DOC, XLS, ZIP and EXE and the second extension selected randomly from PIF, LNK, BAT or COM. The mail subject and body will be in English or Spanish.

First Line: Hi! How are you?
Last Line:
  See you later. Thanks 

                     When sending the infected message, the worm will append a file from the local system to disguise the user. The attached infected file will contain double extension like secret.doc.pif, compress.zip.bat. It will e-mail the infected files using its own SMTP engine.

                     If the infected e-mail attachment is executed, the worm code executed first. It copies itself to the file SCam32.exe in the windows folder. The worm also drops Sirc32.exe in the Recycle bin with hidden attribute. After that it activates the corresponding application. The worm is loaded automatically by changing the following keys in the registry.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunSevices\Driver32

HKEY_CLASSES_ROOT\exefile\shell\open\command

                     Then it searches for network share, if found it copies to RUNDLL32.EXE file. The original RUNDLL32.EXE file is renamed to RUN32.EXE. It also adds the entry @win \recycled\SirC32.exe in the AUTOEXEC.BAT to load it on the next startup.

                     SirCam worm contains destructive payloads. When the payload is activated SirCam will delete all files and directories. When sending infected attachments, it distributes files from the system. So the infected user may loose confidential information.

How can I protect my system?

                   Solo has incorporated SCam32.exe in its signature file to protect users from this worm attack. Solo antivirus registered users are already protected from this worm. Make sure that you have installed registered version of Solo Antivirus to protect you from all virus threats.

How to remove SirCam worm?

                   You can check the system manually. W32.SirCam.Worm@mm creates the file "SIRC32.EXE" in Recycled folder. The presence of this file ensures you are infected with this worm.

                   SirCam Worm changes registry keys when infecting the machine and it should be fixed before deleting the main worm file "SIRC32.EXE" stored in Recycled folder.

                   If you are already infected with SCam32.exe process, you can remove it from your computer using Solo Antivirus software. Solo antivirus can detect and remove W32.SirCam.Worm@mm safely. Use the following link to Download 30 day trial version of Solo antivirus to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VB and Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link