000018964 - The virus: W32/SirCam@MM can cause Progress clients to fail with the following errors:You have not supplied a parameter for argument . (1403) and ** This version of PROGRESS requires a start up procedure (495)

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000018964
Applies ToRSA ACE/Server
IssueThe virus: W32/SirCam@MM can cause Progress clients to fail with the following errors:You have not supplied a parameter for argument <ARG>. (1403) and ** This version of PROGRESS requires a start up procedure (495)
You have not supplied a parameter for argument <ARG>. (1403)
** This version of PROGRESS requires a start up procedure (495)
CauseVirus: W32/SirCam.Worm@MM causes 495 error
ResolutionThe virus: W32/SirCam@MM can cause Progress
clients to fail with the following errors:
  You have not supplied a parameter for argument <ARG>. (1403)
** This version of PROGRESS requires a start up procedure (495)

EXPLANATION:
The connection between Progress and this virus is that the virus
can contaminate Progress files and executes itself each time an .exe
file is started. After the virus is cleaned from the pc, the program
should be able to run without any error messages again. However it may
be nessesary to reinstall corrupt programs or restore files from
backup (a virusfree backup!).

SOLUTION:
Get the latest antivirus updates for your virusscanner and make sure
it detects the SirCam virus. Read the instructions on how to remove
the virus carefully.

Information about SirCam Virus:
This worm copies itself to the \TEMP\ and \RECYCLED\  directory which
are often excluded from scanning. Thenembeds itself in random
Microsoft Office files(.doc, .xls) and .zip files before sending
itself and an attachment to all names in the victim?s email address
book.

Besides putting confidential documents at risk, the worm can delete
files and degrade the performance of infected PCs on October 16.
October 16 is said to be the worm?s ?payload trigger?, a condition
such as a date, the execution of certain programs or even the
availability of an Internet connection that causes a worm or virus to
activate its malicious activity. There's a chance that the worm will
delete all files and directories on the infected hard drive. However,
this will only occur on systems using D/M/Y as the date format.
There's also a chance that it will fill all remaining space on the
hard disk by adding text to the file c:\recycled\sircam.sys at each
startup.

Unfortunately, W32/SirCam.Worm@mm is difficult to detect from the
subject line which will be the file name of the attached document or
its message.

The latter, however, will be semi-random, containing either "Hola como
estas?" or "Hi! How are you?" as the opening line, and "Nos vemos
pronto, gracias" or "See you later. Thanks" as the last line,
depending on whether the English or Spanish version of the virus is
received.

IMPORTANT: Sircam infects other PCs by sending infected e-mail
attachments, but also through shared folders on networked machines.
In order to avoid infection after your machine has been cleaned it is
adviced to allow only read-only access to shared folder.

Legacy Article IDa4404

Attachments

    Outcomes