F-Secure Sircam worm removal tool
---------------------------------

The purpose of the tool is to help the removal of the Sircam worm. The
removal process is rather complex since the worm places multiple copies
of itself to the system and modifies several registry keys.


The following steps are done to remove the worm completely:

1. All the possible copies of the worm are deleted:

   '[windows_drive]:\recycled\SirC32.exe'

   '[windows_system_dir]\SCam32.exe'

   '[windows_dir]\ScMx32.exe'

   'Microsoft Internet Office.exe' from all user's 
       \Start Menu\Programs\Startup\ folder


2. '[windows_dir]\rundll32.exe' is restored if it was overwritten by the
   worm. When infecting trough network shares it renames 'rundll32.exe'
   to 'run32.exe' and places itself to 'rundll32.exe'. This copy of the
   worm is removed and 'run32.exe' is renamed back to 'rundll32.exe'.


3. '[windows_drive]\recycled\SirCam.sys' is removed. This file is filled
   with a text string with the purpose of exhausting the disk space. It
   is part of the worm's payload.


4. Registry is restored

   '[HKCR\exefile\shell\open\command]' key is restored to ""%1" %*"

   '[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Driver32]' 
   sub-key is zeroed - set to ""

   '[HKLM\Software\SirCam]' is removed with all the sub-keys it has


5. Protection against further infection trough network shares is installed

   The system can be protected against (re)infection through the network if 
   there  is a dummy '\recycled\SirC32.exe' file with read-only attributes.


After these a reboot might be required to ensure that all the settings get
updated and the possibly locked infected files are deleted.


For more information on the Sircam worm please visit

 http://www.europe.f-secure.com/v-descs/sircam.shtml

Copyright  2001 F-Secure Corporation. All Rights Reserved.
