

                            Removing W32/Sircam-A
                            ---------------------

                                  July 2001

                                www.sophos.com


W32/Sircam-A is a network-aware worm. The worm spreads via email and by using
open network shares. It arrives in an email with a random subject which is
identical to the attached filename.

The attached filename is also randomly chosen, but it has a double extension
(for instance, .doc.com, doc.bat or .mpg.pif).

Details of this worm can be found at:

  http://www.sophos.com/virusinfo/analyses/w32sircama.html

The tool these notes refer to can be found at

  http://www.sophos.com/virusinfo/analyses/rmsirc.bat


1. Before you start
-------------------

You will need at least one blank floppy disk and an uninfected computer able
to access the Sophos website.

Unplug the network cable on any infected PC.


2. Downloading the files
------------------------

On an uninfected computer, go to the W32/Sircam-A disinfection web page

  http://www.sophos.com/support/faqs/sircam.html

The second sentence on this page says 'The batch file rmsirc.bat will
disinfect English, French, German, Italian and Spanish systems.'

Click on the words 'rmsirc.bat' to download the W32/Sircam-A disinfection
batch file. Click on the words 'Readme notes' below to download this text.
Save these files to the floppy disk.

Write-protect the floppy disk.


3. Running the RMSIRC batch file from the command prompt
--------------------------------------------------------

Go to the infected computer. Ensure that the computer is not plugged into a
network. Close all programs leaving only the Windows Desktop. Place the floppy
disk in the A: drive.

At the Windows taskbar, select Start|Run. Type

  A:\RMSIRC

and press <Return>.

Messages will tell you to scan your computer and empty its Recycle Bin.

Press a key to close the program, then close the program box if necessary.


4. Emptying the recycle bin
---------------------------

Now empty your recycle bin. On the Windows Desktop right-click on the Recycle
Bin icon and click 'Empty Recycle Bin'.


5. Installing Sophos Anti-Virus
-------------------------------

Make a new single-user installation of Sophos Anti-Virus on the affected
computer either from the CD, or by running the A95Z.EXE or ANGZSU.EXE from a
downloaded file (double-click on it).

If you do not have the Sophos Anti-Virus CD version 3.49 (September) or later,
you will have to download the single user version for your platform.

  For Windows 95/98/Me download the Windows 95/98/Me file A95Z.EXE from
  http://www.sophos.com/downloads/products/win9598me.html

  For Windows NT/Windows 2000 download the single user version ANGZSU.EXE from
  http://www.sophos.com/downloads/products/winnt2000.html

When installing, accept all of the default settings. Press Next, OK, or Yes as
necessary.

Shut your computer down and reboot it.


6. Removing infected files with the Sophos Anti-Virus GUI
---------------------------------------------------------

You must use the Sophos Anti-Virus GUI to identify and delete all remaining
viral files.

At the Windows taskbar, select Start|Programs|Sophos Anti-Virus|Sophos Anti-
Virus.

Select 'local hard drives' or C:\ by highlighting the green indicator
light.

On the right hand side of the screen click on the 'Edit' button and change
'File Types' to 'All'. Click 'OK'.

From the menu bar, select 'Options' and then 'Configuration'. There are
three tabbed pages. Select the Action page. Check Disinfect Boot Sectors,
Disinfect Documents and Infected Files. Under Infected Files, choose Delete as
the action. Ensure that Request Confirmation is checked. Click OK to return to
the main screen.

At the main Sophos Anti-Virus screen, click the GO button.

Sophos Anti-Virus checks your computer for viruses.

When infected items are found, a message appears:

  Virus 'W32/Sircam-A' detected in <filename>
  Do you want to remove the file?

Delete any such files. Do not delete files infected by any other virus or worm
at this point. Deal with them separately later.

Reboot and run another scan to ensure that the virus has gone.

When the scan has finished, return to the Action page and uncheck Infected
Files. Click OK to return to the main screen.

On the right hand side of the screen click on the 'Edit' button and change
'File Types' back to 'Executables'. Click 'OK'.

Ensure that all computers are free from W32/Sircam-A before plugging them back
into the network.


7. How can I restore the settings that W32/Sircam-A has changed?
----------------------------------------------------------------

The virus may have made modifications to the AUTOEXEC.BAT file so as to run
infected files when booting. These files have already been removed above.

Open the AUTOEXEC.BAT file in Notepad or Edit and remove any line containing
the text 'sirc32'. Do not use a word processor.

Save AUTOEXEC.BAT.


8. Support
----------

For assistance, please contact Sophos Technical Support.

  support@sophos.com


07/04/2003


                                  ----------------