1. /
  2. Security Response/
  3. W32.Chir.B@mm

W32.Chir.B@mm

Risk Level 2: Low

Discovered:
July 29, 2002
Updated:
July 30, 2002 7:47:41 PM
Also Known As:
Win32.Chir.B [Computer Associates], W32/Chir-B [Sophos], Runouce [F-Secure], PE_CHIR.B [Trend]
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
W32.Chir.B@mm is a mass mailing worm that sends itself to all email addresses in a compromised user's Microsoft Outlook address book. It typically arrives as an email message with the following properties:
From:
(One of the following)
  • [USER NAME]@yahoo.com
  • imissyou@btamail.net.cn
Subject: [USER NAME] is coming!
Attachments: PP.exe

The email message attempts to exploit the following vulnerabilities in order to automatically execute the message attachment:
  • Microsoft Virtual Machine com.ms.activeX.ActiveXComponent Arbitrary Program Execution Vulnerability (BID 1754)
  • Microsoft IE MIME Header Attachment Execution Vulnerability (BID 2524)

Once executed, the worm will copy itself as the following file with the Hidden, System, and Read-Only file attributes set:
C:\WINDOWS\SYSTEM\runouce.exe

It then creates the following registry entry so that it is executed every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Runonce" = "C:\WINDOWS\SYSTEM\runouce.exe"

The worm then enumerates network resources and attempts to access and modify files.

The worm utilizes its own SMTP engine through a single static SMTP relay (btamail.net.cn). It gathers email addresses by searching the Windows Address Book and the following file extensions:
  • .adc
  • r.db
  • .doc
  • .xls
On the first of every month upon startup, the worm will attempt to overwrite the first 1,234 bytes of files with the above-referenced extensions.

The worm searches through all local and mapped drives to infect files with the following extensions:
  • .htm
  • .html
  • .exe
  • .scr

It creates the following file which is a MIME encoded version of the virus to infect HTML files:
Readme.eml file

It creates The Readme.eml in the same folder in which the HTML file is located. The HTML file is modified to open Readme.eml when the HTML file is viewed, if JavaScript execution is enabled.

The worm will also attempt to infect PE file by appending itself to the last section of the host file. Executing any infected file will cause the virus to load itself into memory and start its mass-mailing routine.

The worm creates the following mutex so only one instance of the worm is running:
ChineseHacker-2
Writeup By: Yana Liu
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver