Code Red Virus

[kmguru]

I just received this warning from my ISP:

At roughly 9:00 AM today, our network began seeing an unusual increase in activity on our core router and our DSL router. After some investigation, it was determined that the increase was related to an exceptionally virulent new worm, called "Code Red." Machines infected with the worm send out large amounts of data to random IP addresses in an attempt to find other machines susceptible to infection by the worm. Some of this data was being sent to bogusIP addresses, slowing down our routers slightly...

BE AWARE....everybody

 

[Chagur]

Nix ... kmguru

NOT a new worm, it's a variation of one that's been around - Just more virulent and harder to trace. And, only ISP's have to be concerned.

Just thought you'd like to know.

 

[kmguru]

not if it affects the sciforums server. This morning my access to the forum really slowed down. It could be my earthlink provider too.

 

[Porfiry]

My brief knowledge of Code Red is that it targets DSL routers -- ie. the ones used by telcos *AND* DSL modems. So if you're using a Cisco DSL modem, you might want to be alert.

 

[Chagur]

For those concerned about the Code Red worm (it's not a virus kmguru), you might want to check out:

http://iwsun4.infoworld.com/articles/hn/xml/01/07/20/010720hnmicrosoftvariant.xml

for a little peace of mind.

 

[wet1]

Seems to me we had an alert about the Cisco server modem in the Computer geeks thread. Where someone in Australia had a problem. I think my isp sent me a notice of virus alert not long ago.

 

[thecurly1]

I'll be careful, don't want any valuable info on my computer to escape. Thanks for the warning.

 

[kmguru]

As Chagur pointed out this worm only affects ISPs and DSL router network. Users like us do not have to worry about it.

Thre is another virus going around that has content as follows:
-----------------------
Hi! How are you?

I send you this file in order to have your advice

See you later. Thanks

-----------------------

 

[thecurly1]

Good to know kmguru

 

[Shadow]

kmguru,

Is that the SirCam virus? Or is this yet another?

Shadow

 

[kmguru]

I have no idea. There are too many viruses running loose on this planet. Most virues /worms these days come through your email system. Others can come through the allways on DSL and Cable modem that do not have a firewall such as Zonealarm or variations thereof.

So my advice to ya all is do not open any attachments that looks suspisious. Have two separate email accounts, one for private friends and company use and the other for general stuff. I have never received any virus through my private email address.

In the last few days, I noticed spams coming through hotmail system saying your credit card is overcharged or we charged your credit card or as per your request. I dont even bother to open it.

 

[Byshop]

SirCam virus

The only virus that generates that specific message to my knowledge is the SirCam worm. It's a nasty little bugger that I've been cleaning off of my company's servers and clients for the last week. It generates that message and sends it to every address in your email system (I.e. contacts, PAB, and addresses stored in received mail). It scrambles the MIME-header so a lot of server-based virus checkers fail to catch the virus because they don't realize the email has an attachment. If you have Norton with virus defs less than 3 weeks or so old you probably wont catch it. It creates a file in your recycled bin, you C:\windows\system and c:\windows\system32 directories called Sirc32.exe. It associates EXE apps to Sirc32.exe in the recycled bin so it runs the virus file every time you open an app. It is capable of infecting EXE files and may prevent you from running anti-virus software if it's in memory. It also copies it's payload file (usually an infected spreadsheet or document) into your recycled bin as a hidden file and creates a group in HKEY_LOCAL_MACHINE\SOFTWARE that re-runs the payload file every time you reboot. This way it can keep trying to infect your system if it fails in the first try. It's kind of a pain to remove since if you delete the sirc32.exe file from your system before removing the registry keys it creates, you wont be able to run ANY exe files. This included Regedit. You can fix this by renaming regedit to a COM extension and running it to remove the keys.

Another sneaky little twist I encountered with this virus yesterday is that it is capable of copying itself manually to computers with unprotected shares on our network. Any computer that shares it's C drive without a password can potentially get this worm over a LAN or WAN without ever even opening an email.

Creating folders named "sirc32.exe" in C:\recycled, c:\windows\system, and C:\windows\system32 will prevent the virus from generating it's exe file and stop it from infecting your system. If you open an infected file, it will still copy the payload to C:\recycled and add the SIRCAM group to your registry. It will attempt to re-infect your system every time you reboot until you remove the reg entry or delete the payload.

That's all I've been able to figure out about this virus. If anyone has any information that I don't, please let me know! Thanks!

 

[wet1]

Welcome to Sciforums, Byshop. May your posts be long and varied.

Thank you for the explaination of some of the functions of the Sircam virus. It is indeed appreciated. Unfooretunately I am not a virus fighter so there is nothing I can help you with. I wish I could.