@ECHO off

ECHO RMSIRC.BAT -- W32/Sircam-A virus removal utility
ECHO Version 1.30
ECHO Copyright (c) 2001, Sophos Plc, www.sophos.com
ECHO:

REM If received as a text file rename to RMSIRC.BAT.
REM Run by typing RMSIRC.BAT at a command prompt or double-clicking this file.

REM Must have write access to %windir%

ECHO REGEDIT4>%windir%\sirc.reg
ECHO [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]>>%windir%\sirc.reg
ECHO "Driver32"="Overwritten when removing W32/Sircam-A, please delete.">>%windir%\sirc.reg
ECHO [HKEY_CLASSES_ROOT\exefile\shell\open\command]>>%windir%\sirc.reg
ECHO @="\"%%1\" %%*">>%windir%\sirc.reg
ECHO [HKEY_LOCAL_MACHINE\SOFTWARE\SirCam]>>%windir%\sirc.reg
ECHO "FB1B"="Overwritten when removing W32/Sircam-A, please delete.">>%windir%\sirc.reg
ECHO "FB1BA"="Overwritten when removing W32/Sircam-A, please delete.">>%windir%\sirc.reg
ECHO "FB1BB"="Overwritten when removing W32/Sircam-A, please delete.">>%windir%\sirc.reg
ECHO "FC0"="Overwritten when removing W32/Sircam-A, please delete.">>%windir%\sirc.reg
ECHO "FC1"="Overwritten when removing W32/Sircam-A, please delete.">>%windir%\sirc.reg
ECHO "FC9"="Overwritten when removing W32/Sircam-A, please delete.">>%windir%\sirc.reg
ECHO "FD1"="Overwritten when removing W32/Sircam-A, please delete.">>%windir%\sirc.reg
ECHO "FD2"="Overwritten when removing W32/Sircam-A, please delete.">>%windir%\sirc.reg
ECHO "FD3"="Overwritten when removing W32/Sircam-A, please delete.">>%windir%\sirc.reg
ECHO "FD7"="Overwritten when removing W32/Sircam-A, please delete.">>%windir%\sirc.reg

ECHO Copying REGEDIT.EXE to REGEDIT.COM
COPY %windir%\regedit.exe %windir%\regedit.com > NUL
ECHO Removing viral entries from registry
start /w %windir%\regedit.com /s %windir%\sirc.reg
ECHO Cleaning up REGEDIT.COM
DEL %windir%\regedit.com

ECHO Attempting to remove worm files
if exist %windir%\system\scam32.exe ATTRIB -H %windir%\system\scam32.exe
if exist %windir%\system\scam32.exe DEL %windir%\system\scam32.exe
if exist %windir%\system32\scam32.exe ATTRIB -H %windir%\system32\scam32.exe
if exist %windir%\system32\scam32.exe DEL %windir%\system32\scam32.exe

if exist c:\recycled\sirc32.exe ATTRIB -H c:\recycled\sirc32.exe
if exist c:\recycled\sirc32.exe DEL c:\recycled\sirc32.exe
if exist %TEMP%\sirc32.exe DEL %TEMP%\sirc32.exe
if exist %windir%\run32.exe DEL %windir%\rundll32.exe
if exist %windir%\run32.exe rename %windir%\run32.exe %windir%\rundll32.exe
if exist %windir%\scmx32.exe DEL %windir%\scmx32.exe
if exist %windir%\Start Menu\Programs\StartUp\"Microsoft Internet Office.exe" DEL %windir%\Start Menu\Programs\StartUp\"Microsoft Internet Office.exe"
if exist %USERPROFILE%\Start Menu\Programs\StartUp\"Microsoft Internet Office.exe" DEL %USERPROFILE%\Start Menu\Programs\StartUp\"Microsoft Internet Office.exe"
if exist c:\recycled\Sircam.sys DEL c:\recycled\Sircam.sys

REM The following lines apply if Windows is installed to a drive other than C:
if exist %windir%\..\recycled\sirc32.exe ATTRIB -H %windir%\..\recycled\sirc32.exe
if exist %windir%\..\recycled\sirc32.exe DEL %windir\..\recycled\sirc32.exe
if exist %windir%\..\recycled\Sircam.sys DEL %windir%\..\recycled\Sircam.sys

ECHO Removing working storage file
DEL %windir%\sirc.reg
ECHO :
ECHO Done - this machine should now be scanned with an up-to-date version of
ECHO Sophos Anti-Virus including the latest virus identity (IDE) files.