*********************************************** FIX_SIRCAM Version 1.10 Copyright (c) 1987-2000 Trend Micro, Inc. http://www.antivirus.com *********************************************** *********************************************** I Description II Requirements III How to use IV Notes *********************************************** *********************************************** I Description This Tool is designed to clean a system that has been infected by TROJ_SIRCAM.A, without having to restart the system in MS-DOS mode. The tool is able to: 1. Delete the memory resident portions of the trojan. 2. Delete the dropped files of the trojan (ex. C:\RECYCLED\SIRC32.EXE, %SYSTEM%\SCAM32.EXE, etc. 3. Remove the registry entries created by the trojan, in particular: HKEY_LOCAL_MACHINE\Software\SirCam HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\RunServices\Driver32 4. Fix one of the registry keys that associates the worm with the execution of other programs: HKEY_CLASSES_ROOT\exefile\shell\open\command 5. Scan your system for copies of the trojan. *********************************************** II Requirements This tool is designed to run under Windows NT, 2000, and Windows 9X. For this tool to execute properly under Windows NT it needs these DLL files: o PSAPI.DLL be sure that this files are present in the "Winnt\system32" directory. *********************************************** III How to use 1. Download a copy of our this tool on the infected system. 2. If you want to make use of the options provided by the tool, 2.1 you can open an MS-DOS prompt or any command prompt of your choice 2.2 goto the folder that contains the tool. 2.3 FIX_SIRCAM.COM [options] where - path of folder or subdirectory to be scanned. (Default path is C:\) Options: /A - autodelete trojan files. Default is ask user. /S - do not scan subdirectories. Default is recurse all subdirectories. /N - Do not scan system for dropped trojan files. using this option just fixes the registry and deletes trojans in known locations in the computer. /? - Display this help file. 3. If you do not want to use the options of the tool, just click on the icon of the tool or run the tool without parameters. If you are going to do this, the tool will execute with the following default actions: o Delete the memory resident portions of the trojan. o Delete the dropped files of the trojan o Remove the registry entries created by the trojan, in particular: o Fix one of the registry keys that associates the worm with the execution of other programs o Scan your filesystem, starting from C:\, recursing all subdirectories for copies of the worm. o If a copy of the worm is found, prompts the use if the file is to be deleted or not. Autodelete detected trojans: No. Scan subdirectories: Yes. Scan files: Yes. Path to be scanned: c:\ IV Notes 1. The tool creates a log file of activities in the directory in which it was run. 2. The tool originally had an extension name of EXE, but because of the possibility that the trojan has modified the key described in I.4, it has been renamed to a .COM 3. This tool has been tested in the following platforms: o Win95 o WinME o Win98 SE o WinNT 4.0 o Win 2000 *********************************************** For the details of this virus, visit http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SIRCAM.A