What is an Internet Worm?

An Internet worm is a type of computer virus that can do everything form slow your computer down to a crawl to completely destroying files and disabling software. One of the most famous Internet worms is the I-Worm. The I-Worm or “I-Worm Rays” is a highly contagious and destructive computer virus. It can completely destroy your files or slow your computer down to near crippling levels. All a user has to do is open an infected email and the worm will begin doing its dirty work.

According to bitdfender (www.bitdefender.com), I-Worm or I-Worm Rays, also called I-Worm.Sircam.A and I-Worm.Magistr.A is an Internet and network worm similar to I-Worm.Magistr.A. The virus spreads through e-mail using its own SMTP routine, sending itself to addresses from the Address Book and from cache or through the shared directories.


ATTENTION: GET PARASITE HELP NOW! At All About Worms we get a lot of questions about skin parasites, blood parasites, and intestinal parasites in humans. Because we can't diagnose you, we have put together this list of doctors and labs who understand and specialize in dealing with parasites in humans! That resource is HERE

Bitdefender also says, the virus is transmitted through a message with a randomly chosen subject and body, in the form of a combination between the virus infection routine and a file chosen randomly from My Documents. The original name of the file is kept, but an executable extension is added (.pif, .exe, .lnk). Users who do not have the option to see attachment extensions activated, will only see the original extension and can be easily fooled.

The symptoms of I-Worm include the presence of any of the registry keys or files mentioned in the technical description. Here is an example of an email message carrying the virus:

Subject: Document file name (without extension)
From: [[email protected]]
To: [[email protected]]

No Paywall Here!
All About Worms is and always has been a free resource. We don't hide our articles behind a paywall, or make you give us your email address, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to pay our research authors, and to run and maintain the site, so if something you read here was helpful or useful, won't you consider donating something to help keep All About Worms free?
Click for amount options
Other Amount:

Hi! How are you?
I send you this file in order to have your advice

or:

I hope you can help me with this file that I send
I hope you like the file that I send you
This is the file with the information that you ask for

See you later! Thanks

or, in Spanish:

Subject: Document file name (without extension)
From: [[email protected]]
To: [[email protected]]

Hola como estas ?
Te mando este archivo para que me des tu punto de vista

or:

Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es el archivo con la informacion que me pediste

Nos vemos pronto, gracias.

If the attachment is opened, the worm copies itself in the system directory under the name scam32.exe. It also copies itself into the directory “Recycled” under the name sirc32.exe, which is a hidden file. Then the virus creates the following three keys in the Windows Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services

with the value Driver32 = %System%\scam32.exe to be accessed when Windows starts, and:

HKLM\SOFTWARE\Classes\exefile\shell\open\command

with the value C:\Recycled\sirc32.exe “%1″ %*” for the routine infection to be executed before any other EXE file.

If the virus finds network shared directories, it will try to copy itself into the local Windows directory under the name rundll32.exe. The original file is renamed as run32.exe. If the worm succeeds, it will modify the autoexec.bat file by introducing a new line which will allow it to execute the file previously saved in the Windows directory.

As a “signature” the author added the following strings in the virus in an encrypted form:
[SirCam_2rP_Ein_NoC_Rma_CuiTzeO_MicH_MeX]
[SirCam Version 1.0 Copyright 2001 2rP Made in / Hecho en – Cuitzeo, Michoacan Mexico]

Destructive Actions by Bitdefender.com

It sends randomly, as attachment with the viral code, one of the infected system files at the e-mail addresses from the Address Book. On a random algorithm (one in 20 infected systems), it deletes all files and directories on the root directory C:\. This happens on Oct. 16 of every year, on the systems using the D/M/Y format for standard date. If the attached file (that generated the infection) contains FA2 without being followed by sc, this destructive action happens regardless of date format.

It slows system performances in one of 50 cases, multiplying a .txt file c:\recycled\sircam.sys. I-Worm.Sircam.A sends confidential information too: it might chose one of your extremely confidential files to attach to its viral code and send to your contacts from the Address Book.

To download the I-Worm removal tool, please visit bitdefender at www.bitdefender.com. Just follow the link to go directly to the removal tool and information about the I-Worm.

Sources: All information for this article was provided by Bitdefender.com.

Author: The Top Worm

Leave a Reply

Your email address will not be published. Required fields are marked *