Sircam virus written in Delphi
Pajamas
was upgraded to high risk.
PJ
Rudy Velthuis (TeamB)
> The Sircam worm virus was supposedly written in delphi and yesterday
> was upgraded to high risk.
That could be. Someone sent me something suspect today (a supposed .zip
file), and I saved it, renamed it to something with an .xyz extension,
and looked at it. It was a Delphi executable.
--
Rudy Velthuis (TeamB)
Clay Shannon
x.<somethingorother>.com, and x.<somethingorother>.xls.
"Rudy Velthuis (TeamB)" <rvel...@gmx.de> wrote in message
Alexander S. Tereschenko
different (>200 kb).
--------------------------------
Alexander S. Tereschenko
al...@plastiqueweb.com
http://futuris.plastiqueweb.com/
"Clay Shannon" <bclays...@earthlink.net> wrote in message
news:3b5f35e7_2@dnews...
Dave Nottage
> > The Sircam worm virus was supposedly written in delphi and yesterday
> > was upgraded to high risk.
>
> That could be. Someone sent me something suspect today (a supposed .zip
> file), and I saved it, renamed it to something with an .xyz extension,
> and looked at it. It was a Delphi executable.
Ditto (the other day). The attachment said .doc, but it was an EXE, written
in Delphi. I havent had a good look at what's in it yet.
--
Dave Nottage
http://www.fruit.on.net <- Touring the US this summer.
Dejan Maksimovic
That's because it has the actual document attached to the end - it will
open it, after it executes the virus code:-) it sends e-mails based on
documents found in My Documents - and attaches them.
Deja.
> I got 21 yesterday and 3 today. Same naming rule, but size of letter always
> different (>200 kb).
> > I got several yesterday, with attachments named x.<somethingorother>.pif,
> > x.<somethingorother>.com, and x.<somethingorother>.xls.
> >
> > "Rudy Velthuis (TeamB)" <rvel...@gmx.de> wrote in message
> > >Someone sent me something suspect today (a supposed .zip
> > > file), and I saved it, renamed it to something with an .xyz extension,
> > > and looked at it. It was a Delphi executable.
--
Kind regards, Dejan M. CEO Alfa Co. www.alfasp.com
E-mail: de...@alfasp.com
ICQ#: 56570367
Professional file&system related components and libraries for Win32 developers.
Alfa File Monitor - #1 file monitoring system for Win32 developers.
Alfa File Protector - #1 file protection and hiding system for Win32
developers.
Alfa Units - #1 file and system handling units for Delphi.
Eric H. Johnson
news:3b5f38d4_1@dnews...
> I got 21 yesterday and 3 today. Same naming rule, but size of letter
always
> different (>200 kb).
See the thread "W32.Sircam Worm written in Delphi?" on this newsgroup from
last Friday. Since it attaches itself to any "random" document of an
appropriate type, the size of the attachment will vary. However, when
infected, the virus is always installs to C:\recycled\SirC32.exe. That file
remains the same size. A dump of this file shows that it is written in
Delphi.
Regards,
Eric
John Herbster
letter always
> different (>200 kb).
Why don't you all share the e-mail headers to see if there is any
thing common that would give a clue as to its origin. Regards, JohnH
David Clegg
in Delphi?
Cheers,
David Clegg
dcl...@ebetonline.com
"Dave Nottage" <da...@removethis.b3.com.au> wrote in message
news:3b5f3a90$1_1@dnews...
Baji Kimran
>The Sircam worm virus was supposedly written in delphi and yesterday
>was upgraded to high risk.
Before yesterday I'd gotten a total of 5 virii in email.
Yesterday I got 2 copies of Sircam and today I got 2 more.
Damian Marquez
> In article <v3ault033b1glhsqa...@4ax.com>, Pajamas says...
> That could be. Someone sent me something suspect today (a supposed .zip
> file), and I saved it, renamed it to something with an .xyz extension,
> and looked at it. It was a Delphi executable.
Someone downloaded it at the company I work for. Does a lot of strange
(smart)
things like looking for open windows shares apparently with the intention of
duplicating
itself.
It lurks in the registry, it gets loaded on RunServices in Win95, with the
registry key of
"Driver32".
He tried to run the virus scanner himself, when I got back, he couldn't run
anything (except
opening my computer, outlook and a few more), apparently for the reason that
the program
associates EXE files with sirc32.exe file, which obviously the scanner had
deleted.
What's more, I couldn't run RegEdit because of this association.... Result:
re-install windows :)
John Senior
http://www.sophos.com/support/faqs/sircam.html
John
"Pajamas" <jav...@ev1.net> wrote in message
news:v3ault033b1glhsqa...@4ax.com...
Peter N Roth
and look for 'Borland'
--
Grace + peace,
Peter N Roth
Engineering Objects International
http://engineeringobjects.com
"David Clegg" <dcl...@ebetonline.com> wrote in message
news:3b5f4cf6_2@dnews...
Dave Nottage
> Excuse my ignorance, but how do you tell whether an executable was
compiled
> in Delphi?
Using IsDelphi.
Right now I cant find the link for it, because CodeCentral is down.
Dave White
Tell-tale signs:
1) Subject line and contains the name of the attached file
2) First line: Hi! How are you?
3) Last line: See you later. Thanks
4) Additional text is one of the following
a) I send you this file in order to have your advice
b) I hope you can help me with this file that I send
c) I hope you like the file that I sendo you
d) This is the file with the information that you ask for
"John Herbster" <jo...@petronworld.com> wrote in message
news:3b5f3f4a$1_2@dnews...
Dejan Maksimovic
Load into Notepad - in the first 256 bytes, you will find "This program
cannot be run in Win32". This tells it's a Borland EXE.
To tell if it's Delphi or C++ Builder EXE - well, you must see the
import/export table - C++ Builder programs export DebugHook functions.
Also, there are EXE "knowhow" programs, that tell which compiler made the
EXE - you can find one that can tell 144 of these, at protools.cjb.net or
similar sites.
Regards, Dejan.
David Clegg wrote:
--
Dave Nottage
>
> Load into Notepad - in the first 256 bytes, you will find "This
program
> cannot be run in Win32". This tells it's a Borland EXE.
"Cannot"? Mine says "must be run under Win32". I dont think this can be
relied upon to determine that it is a Borland EXE.
Barry Kelly
"Dave Nottage" <da...@removethis.b3.com.au> wrote:
> "Dejan Maksimovic" wrote:
> >
> > Load into Notepad - in the first 256 bytes, you will find "This
> program
> > cannot be run in Win32". This tells it's a Borland EXE.
>
> "Cannot"? Mine says "must be run under Win32". I dont think this can be
> relied upon to determine that it is a Borland EXE.
Read that again.
> > "This program cannot be run in Win32"
Ha!
-- Barry
Dejan Maksimovic
> program
> > cannot be run in Win32". This tells it's a Borland EXE.
>
> "Cannot"? Mine says "must be run under Win32". I dont think this can be
> relied upon to determine that it is a Borland EXE.
Yeah, "must be":-)))
It's not a certain, but it's as good as everything else. Today, VC++,
VB and Delphi/BCB are probably 99% of the used compilers for Win32, anyway.
Rudy Velthuis (TeamB)
> Excuse my ignorance, but how do you tell whether an executable was compiled
> in Delphi?
By looking at it with a hex editor and noticing strings like VCL,
Borland, etc.
--
Rudy Velthuis (TeamB)
Christen Fihl
At least I think so.
--
Christen Fihl
http://HSPascal.Fihl.net
John Herbster
> This is from an e-mail our IS department sent out today:
Any clue as to common IPs in the received-from chain of addresses?
I have sometimes had interesting luck chasing down the IP's in
header lines like the following:
Received: from [209.88.70.162] by zeus.candw.lc (NTMail
5.06.0016/NU3897.00.571c491c) with ESMTP id zsqrabaa for
jo...@petronworld.com; Mon, 22 Jan 2001 19:24:05 -0400
which carried a copy of Hibris worm.
Todd
"Peter N Roth" <refusi...@mycompany.com> wrote in message news:3b5f69ec_2@dnews...
> load the exe into Word or other suitable editor
> and look for 'Borland'
Actually it should be Delphi for delphi apps, and Borland for Borland C++ apps.
Clay Shannon
account.
The other messages I received were on my earthlink account. BTW, I don't
know
Alcir Junior, but I doubt he himself is culpable.
Subj: COBRA~37
Date: 07/27/2001 7:19:42 am Pacific Daylight Time
From: jun...@promotional.com.br (Alcir Júnior)
To: BClayS...@aol.com
File: COBRA~37.DOC.lnk (237855 bytes) DL Time (45333 bps): < 1 minute
Hi! How are you?
I send you this file in order to have your advice
See you later. Thanks
----------------------- Headers --------------------------------
Return-Path: <jun...@promotional.com.br>
Received: from rly-xb01.mx.aol.com (rly-xb01.mail.aol.com [172.20.105.102])
by air-xb01.mail.aol.com (v79.27) with ESMTP id MAILINXB18-0727101938; Fri,
27 Jul 2001 10:19:38 -0400
Received: from srv1.promotional.com.br ([200.218.149.34]) by
rly-xb01.mx.aol.com (v79.20) with ESMTP id MAILRELAYINXB12-0727101718; Fri,
27 Jul 2001 10:17:18 -0400
Received: from redepromo60.promotional.com.br (estacao60.promotional.com.br
[192.168.1.60])
by srv1.promotional.com.br (8.9.3/8.8.7) with SMTP id MAA05808
for <BClayS...@aol.com>; Fri, 27 Jul 2001 12:36:58 -0300
Message-Id: <2001072715...@srv1.promotional.com.br>
From: "=?ISO-8859-1?Q?Alcir=20J=FAnior?="<jun...@promotional.com.br>
To: BClayS...@aol.com
Subject: COBRA~37
date: Fri, 27 Jul 2001 11:21:03 -0300
MIME-Version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
Content-Type: multipart/mixed;
boundary="----1BD7546A_Outlook_Express_message_boundary"
Content-Disposition: Multipart message
"John Herbster" <jo...@petronworld.com> wrote in message >
R. Brian Lindahl
were from "Sunflag (T) Ltd [sunf...@habari.co.tz]".
brian
"Clay Shannon" <bclays...@earthlink.net> wrote in message
news:3b619344_2@dnews...