From: Ahmed Mamoor Amimi (mamoor@xxxxxxxx)
Date: Sun Oct 14 2001 - 06:50:53 GMT-3
Hello,
I didnt send this virus to u guys its my OUTLOOK that CC all u guys.
I am sorry who ever is infected by my mails. below is the manual procedure
for the removal of this virus.
===============================================
To manually remove the Trojan
Restore your system configurations through the registry.
If you are connected to the network, disconnect your computer from the
network.
Rename REGEDIT.EXE to REGEDIT.COM. If you want to use the fix tool, there is
no need to rename the file
Click Start>Run, type REGEDIT and then press Enter.
In the left panel, click the (+) left of each of the below:
HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion
RunServices
In the right panel, look for and then delete the registry value called
Driver32.
In the left panel, click the (+) left of each of the below:
HKEY_LOCAL_MACHINE
Software
SirCam
Click SirCam and then press the Delete key.
In the left panel, click the (+) left of each of the below:
HKEY_CLASSES_ROOT
exefile
shell
open
command
In the right panel, right-click the (Default) value, then choose Modify.
Change C:\Recycled\SirC32.exe%1%* to %1 %*. In other words, remove
C:\Recycled\SirC32.exe.
Remove the dropped files:
Open an MS-DOS box or Command Prompt
Go to the System directory (C:\Windows\System or C:\Winnt\System32).
Type ATTRIB -S -H -R SCAM32.EXE to unhide the Trojan file.
Type DEL SCAM32.EXE to delete the Trojan file.
Go to the Recycled folder (C:\Recycled folder)
Note: Emptying the recycle bin does not effectively delete the dropped
Trojan files in the folder. It is suggested that the command prompt be used
when deleting the dropped files.
Type ATTRIB -S -H -R SIRC32.EXE.
Type DEL SIRC32.EXE to delete the Trojan file.
Remove the Worm reference from AUTOEXEC.BAT:
Look for the AUTOEXEC.BAT file.
Search and remove the string "@win \recycled\Sirc32.exe"
Restore your RUNDLL32.EXE:
Search for RUN32.EXE in your WINDOWS folder. If not found, then the worm did
not overwrite your RUNDLL32.EXE.
If found, delete RUNDLL32.EXE and rename RUN32.EXE to RUNDLL32.EXE.
Restart your system
Note: If you found the worm entry in the AUTOEXEC.BAT file or if you found
the RUN32.EXE file in the Windows directory, this means that other computers
in your network are also infected. For protection, minimize giving full
access to your drives and as much as possible DO NOT share your Windows and
System folder.
==================================
-Mamoor
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
pimmo@clover.com
Sent: Saturday, October 13, 2001 10:12 PM
To: ccielab@groupstudy.com
Cc: jpeltier@clover.com
Subject: OT: Virus?!?
Yes I know this is a virus.... I DID NOT attach the files...
I have about 10 e-mails from this person, and not quite sure how he got my
address... Has anyone else been getting mail from him?
-----Original Message-----
From: Ahmed Mamoor Amimi
To: pimmo@clover.com
Sent: 10/13/2001 9:51 AM
Subject: how we will cruise toward the CCIE lab
Hi! How are you?
I send you this file in order to have your advice
See you later. Thanks
<<alert.txt>> <<ATT32205.txt>>
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:18 GMT-3