Permanently remove the Sircam worm from your computer
The purpose of the AntiSirc utility is to help users easily remove the Sircam worm from their computers. The removal process is rather complex since the worm places multiple copies of itself to the system and modifies several registry keys.
The following steps are done to remove the worm completely:
1. All the possible copies of the worm are deleted:
‘Microsoft Internet Office.exe’ from all user’s |Start Menu|Programs|Startup| folder
2. ‘[windows_dir]|rundll32.exe’ is restored if it was overwritten by the worm. When infecting trough network shares it renames ‘rundll32.exe’ to ‘run32.exe’ and places itself to ‘rundll32.exe’. This copy of the worm is removed and ‘run32.exe’ is renamed back to ‘rundll32.exe’.
3. ‘[windows_drive]|recycled|SirCam.sys’ is removed. This file is filled with a text string with the purpose of exhausting the disk space. It is part of the worm’s payload.
4. Registry is restored
‘[HKCR|exefile|shell|open|command]’ key is restored to “”%1″ %*”
‘[HKLM|Software|Microsoft|Windows|CurrentVersion|RunServices|Driver32]’ sub-key is zeroed – set to “”
‘[HKLM|Software|SirCam]’ is removed with all the sub-keys it has
5. Protection against further infection trough network shares is installed
The system can be protected against (re)infection through the network if there is a dummy ‘|recycled|SirC32.exe’ file with read-only attributes.
After these a reboot might be required to ensure that all the settings get
updated and the possibly locked infected files are deleted.
Please comments and give ratings. You may also report of broken or incorrect link using comments box below. Thanks!