Sircam.Worm@mm Removal Tool
Checks for Sircam
Removes Sircam
Gives Report

The W32.Sircam.Worm@mm Fix tool deletes the files infected with the W32.Sircam.Worm@mm worm and removes the changes that were made to a computer by this virus.

To obtain and run the tool:

1. Go to http://www.sarc.com/avcenter/FixSirc.com (or get it here on my site)
2. Download the Fixsirc.com file to a convenient location, such as your download folder or the Windows desktop. If you are on a network, the removal tool should be applied on all computers, including the server.
3. To check the authenticity of the digital signature, refer the section The digital signature.
4. Close all programs before running the tool, including any antivirus scanners such as NAV Auto-Protect.

CAUTION: Do not skip this step. You must disable Anti-Virus software before you run the tool.

5. If you are on a network, or have a full time connection to the Internet, disconnect the computer from the network and the Internet. Disable or password protect file sharing before reconnecting computers to the network or to the internet. Because this worm spreads by using shared folders on networked computers, to ensure that the worm does not reinfect the computer after it has been removed, Symantec suggests sharing with read-only access or using password protection. For instructions on how to do this, see your Windows documentation or the document How to configure shared Windows folders for maximum network protection.

CAUTION: Do not skip this step. You must disconnect from the network before running the tool.

6. If you are using Windows Me, then disable System Restore. See Below for details.

NOTE: If you are running Windows Me, we strongly recommend that you do not skip this step.

7. Double-click the Fixsirc.com file to start the removal tool.

NOTE: If you downloaded the tool to a floppy disk, and want to run it from the floppy, see the section How to run the tool from a floppy disk at the end of this document for special instructions.

NOTE: If you are using Windows Me, and the System Restore remains enabled, you will see a warning message. You can choose to run the removal tool with the System Restore option enabled or exit the removal tool.

8. Click Start to begin the process, and then allow the tool to run.

9. If you are using Windows Me, then reenable System Restore.

NOTE:
If you see a message that the tool must re run in Safe mode, restart the computer in Safe mode and run the tool again. Please follow this instruction to ensure that the virus does not reinfect the computer. To restart in Safe mode, see the document How to restart Windows 9x or Windows Me in Safe Mode
The removal procedure might be unsuccessful in case of enabled System Restore under Windows'ME because Windows prevents System Restore from being modified by outside programs. Because of this, any worm removal attempts made by the removal tool might fail.
When the procedure is finished, the removal tool may detect that you are using Windows'ME and the System Restore remains disabled. In this case, you will see the reminder message to reenable this option.
If you need to run the tool in login scripts or batch files with no messages displayed, then use the following command line syntax for the "Silent" mode:
Fixsirc.com /s

When the tool has finished running, you will see a message indicating whether the computer was infected by the W32.Sircam.Worm@mm worm. In the case of a removal of the worm, the program displays the following results:
The total number of the scanned files.
The number of deleted files.
The number of registry keys that were fixed.

What the tool does
The W32.Sircam.Worm@mm removal tool does the following:
1. It scans and deletes files infected with the W32.Sircam.Worm@mm worm.

2. The tool removes the following registry key:

HKEY_LOCAL_MACHINE\Software\SirCam

3. In the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices

it deletes the following value:

Driver32

4. In the registry key

HKEY_CLASSES_ROOTexefile\shell\open\command

the tool modifies the [Default] value by setting it to:

"%1" %*

5. The tool removes the line "@win \recycled\sirc32.exe" from the C:\Autoexec.bat file.

6. The tool restores Rundll32.exe file, renamed by the worm.


System Restore option in Windows Me:
One of the new features of Windows Me is System Restore. This feature, which is enabled by default, is used by Windows to restore files on your computer in case they become damaged. Windows Me keeps the restore information in the _RESTORE folder. A _RESTORE folder is created on each hard drive on the computer; these folders are updated when the computer restarts.

If the computer is infected with W32.Sircam.Worm@mm, then it is possible that the worm could be backed up in the _RESTORE folder. By default, Windows prevents System Restore from being modified by outside programs. Because of this, any repair attempts made by the removal tool will fail. To work around this, you must disable System Restore, and restart the computer. This will purge the contents of the _RESTORE folder. You must then run the removal tool again.

To disable System Restore in WindowsME:

1. Close all open programs. Then, right-click My Computer on the Windows desktop
2. Click Properties.
3. Click the Performance tab.
4. Click File System.
5. Click the Troubleshooting tab.
6. Check Disable System Restore.
7. Click OK.
8. Click OK.
9. Click Yes to restart. This disables the System Restore feature and will purge the contents of the _RESTORE folder when the system is restarted.
Note: After running the FixSirc.com removal tool, repeat steps 1 through 9, except in step 6, uncheck Disable System Restore.
You can also find an additional information in the document Cannot repair, quarantine, or delete a virus found in the _RESTORE folder.

How to run the tool from a floppy disk

1. Insert the floppy disk that contains the Fixsirc.com file in the floppy disk drive.
2. Click Start and then click Run.
3. Type the following and then click OK:

a: fixsirc.com

NOTE: If you are using Windows Me, and the System Restore remains enabled, you will see a warning message. You can choose to run the removal tool with the System Restore option enabled or exit the removal tool.

4. Click Start to begin the process, and then allow the tool to run.
5. If you are using Windows Me, then reenable System Restore.