I-Worm/Sircam.A (commonly known as the Sircam worm) is a legacy mass-mailing computer worm that heavily targeted Windows systems by spreading through email attachments and shared network drives. It is notorious for hijacking the computer’s registry execution keys, meaning that simply deleting the virus file will break Windows and prevent any executable (.exe) programs from opening.
Because Sircam is an older threat, modern security tools handle it automatically, but cleaning an infection manually requires repairing the Windows registry first. Below is the comprehensive, step-by-step cleanup guide to safely remove the worm and restore your system. Step 1: Isolate Your Computer Worms are designed to actively spread across networks.
Disconnect from the internet: Unplug your Ethernet cable and turn off Wi-Fi.
Disconnect local shares: Unplug any external hard drives or flash drives, and disconnect from local home networks (LAN) to prevent the worm from copying itself to other devices. Step 2: Fix the Windows Executable (.exe) Registry Key
Sircam modifies the exefile registry key so that every time you run an .exe file, the virus runs first. If you try to run an antivirus tool before fixing this, the tool will either fail to open or run the virus instead.
Click Start, type command or cmd into the search bar, right-click Command Prompt, and select Run as Administrator.
To restore the default Windows behavior for running programs, type the following command exactly and press Enter:
reg add “HKCR\exefile\shell\open\command” /ve /t REG_SZ /d “\”%%1\” %%” /f Use code with caution.
(Alternative Method) If Command Prompt will not open, copy the regedit.exe utility located in your C:\Windows folder, paste it onto your desktop, and rename it to regedit.com. Launching the .com version will bypass the broken .exe association, allowing you to manually navigate to HKEY_CLASSES_ROOT\exefile\shell\open\command and change the (Default) value data back to ”%1” %. Step 3: Delete the Worm’s Startup Entries
Sircam alters system initialization files to ensure it boots up with Windows.
Press Windows Key + R to open the Run dialog box, type regedit, and press Enter.
Navigate to the following path:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Look for any keys pointing to SirC32.exe or suspicious files in the Sircam folder. Right-click and Delete them.
Navigate to C:</code> and check if you have an autoexec.bat file. Open it with Notepad and delete any line that reads @win \recycled\SirC32.exe. Save and close the file. Step 4: Boot into Safe Mode
Booting into Safe Mode prevents residual malware processes from loading into your computer’s active memory. Restart your computer.
As it boots up, continuously tap the F8 key (on legacy systems) or hold Shift while clicking Restart in the Windows Power Menu to access Advanced Startup Options. Select Safe Mode. Step 5: Run a Deep Malware Scan
Now that your .exe file extension path is fixed, you can use automated tools to clean out the worm’s physical files. How to Remove a Virus from a PC
Leave a Reply