Saturday, January 21, 2012

How to Manually Remove the SIRCAM Worm Virus


The Sircam virus is a malicious worm created in Delphi that spreads through email and shared network drives. The worm then sends copies of itself to all the email addresses listed in the infected computer’s address book and in temporary Internet cached files. The infected email messages have a random subject line and an attachment with the same name. Read on to learn how to remove the SIRCAM worm virus.


Instructions

Manually Remove the SIRCAM Worm Virus


  1. Disconnect your computer from any local area network. This is important because the Sircam virus can spread through shared network drives.
  2.  Rename regedit.exe to regedit.com. Open the Search function in the Start menu to find regedit.exe. Click on START and then click SEARCH. Perform a search for "regedit.exe" Right-click the file once you find it, and click on RENAME. Rename the file to "regedit.com."
  3. Click on the START button in the bottom-left corner of your desktop. Click RUN in the Start menu. Type "regedit" and then click "OK." This will open the Registry Editor.
  4. Use the plus signs to navigate to the following registry entry: HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsCurrentVersion\RunServices. Look in the right panel and locate the following registry value: "Driver32." Click on this value and delete it.
  5. Navigate to the following registry entry: HKEY_LOCAL_MACHINE\Software\SirCam. Select SirCam. Click on this value and delete it.
  6. Use the plus signs again to navigate to the following registry entry: HKEY+CLASSES_ROOT\exefile\shell\open\command. In the right-hand panel, right click the "DEFAULT" value and select MODIFY. Change "C:\Recycled\SirC32.exe""%1”%* to "%1" %*. This will remove remove “C:\Recycled\SirC32.exe”.
  7. Click on the START button and then click RUN and type in "cmd." Go to the following system directory: C:\Windows\System or C:\Winnt\System32. *Type in ATTRIB -S -H -R SCAM32.EXE. This will unhide the Trojan horse. *Type in DEL SCAM32.EXE. This deletes the file.
  8. Go to C:\Recycled folder. *Type in ATTRIB -S -H -R SIRC32.EXE. *Type in DEL SIRC32.EXE. This will delete the Trojan file
  9. Remove all References from AUTOEXEC.BAT: Use the Search function to look for autoexec.bat. Open the file and remove the following string: "@win \recycled\Sirc32.exe"



Restore the RUNDLL32.EXE File


  1. Do a search for run32.exe in the Windows folder.
  2. Rename this file to rundll32.exe once you find it. (If it is not found, then it means that the worm didn't overwrite the RUNDLL32.EXE)
  3. Reboot your computer after you have completed all of these steps.
  4. Run an up-to-date antivirus program to make sure your computer has been completely cleaned of the SIRCAM virus.


Tips & Warnings

The SIRCAM worm is also called I-Worm.SirCam, W32.Sircam, TROJ_SCAM.A and SCAM.A



No comments:

Post a Comment