W32.Chir.B@mm is a mass mailing worm that sends itself to all email addresses in a compromised user's Microsoft Outlook address book. It typically arrives as an email message with the following properties: From:
(One of the following)
- [USER NAME]@yahoo.com
[USER NAME] is coming! Attachments:
The email message attempts to exploit the following vulnerabilities in order to automatically execute the message attachment:
- Microsoft Virtual Machine com.ms.activeX.ActiveXComponent Arbitrary Program Execution Vulnerability (BID 1754)
- Microsoft IE MIME Header Attachment Execution Vulnerability (BID 2524)
Once executed, the worm will copy itself as the following file with the Hidden, System, and Read-Only file attributes set:
It then creates the following registry entry so that it is executed every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Runonce" = "C:\WINDOWS\SYSTEM\runouce.exe"
The worm then enumerates network resources and attempts to access and modify files.
The worm utilizes its own SMTP engine through a single static SMTP relay (btamail.net.cn). It gathers email addresses by searching the Windows Address Book and the following file extensions:
On the first of every month upon startup, the worm will attempt to overwrite the first 1,234 bytes of files with the above-referenced extensions.
The worm searches through all local and mapped drives to infect files with the following extensions:
It creates the following file which is a MIME encoded version of the virus to infect HTML files:
The worm will also attempt to infect PE file by appending itself to the last section of the host file. Executing any infected file will cause the virus to load itself into memory and start its mass-mailing routine.
The worm creates the following mutex so only one instance of the worm is running: