1. /
  2. Security Response/
  3. W32.Chod.B@mm

W32.Chod.B@mm

Risk Level 2: Low

Discovered:
April 2, 2005
Updated:
February 13, 2007 12:36:16 PM
Also Known As:
Win32.Nochod.B [Computer Assoc, Backdoor.Win32.Landis.1121 [Ka, W32/Generic.m [McAfee], W32/Chode-B [Sophos], WORM_CHOD.B [Trend Micro]
Type:
Worm
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

W32.Chod.B@mm is a mass-mailing worm that also propagates using MSN Messenger. The worm has back door capabilities and can be controlled through IRC channels. It also overwrites the Hosts file to block access to several Web sites.




Follow the instructions for your operating system:
  • Windows 95/98/Me/NT/2000
    1. Click Start, point to Find or Search, and then click Files or Folders.
    2. Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
    3. In the "Named" or "Search for..." box, type:

      hosts

    4. Click Find Now or Search Now.
    5. For each Hosts file that you find, right-click the file, and then click Open With.
    6. Deselect the "Always use this program to open this program" check box.
    7. Scroll through the list of programs and double-click Notepad.
    8. When the file opens, delete all the entries the reference the Web sites listed in Step 15 of the "Technical Details" section.
    9. Close Notepad and save your changes when prompted.

  • Windows XP
    1. Click Start > Search.
    2. Click All files and folders.
    3. In the "All or part of the file name" box, type:

      hosts

    4. Verify that "Look in" is set to "Local Hard Drives" or to (C:).
    5. Click More advanced options.
    6. Check Search system folders.
    7. Check Search subfolders.
    8. Click Search.
    9. Click Find Now or Search Now.
    10. For each Hosts file that you find, right-click the file, and then click Open With.
    11. Deselect the Always use this program to open this program check box.
    12. Scroll through the list of programs and double-click Notepad.
    13. When the file opens, delete all the entries the reference the Web sites listed in Step 15 of the "Technical Details" section.
    14. Close Notepad and save your changes when prompted.


Antivirus Protection Dates

  • Initial Rapid Release version April 2, 2005
  • Latest Rapid Release version September 28, 2010 revision 054
  • Initial Daily Certified version April 2, 2005
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date April 6, 2005
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: 0 - 49
  • Number of Sites: 0 - 2
  • Geographical Distribution: Low
  • Threat Containment: Easy
  • Removal: Moderate

Damage

  • Damage Level: Medium

Distribution

  • Distribution Level: High
Writeup By: Hiroshi Shinotsuka

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver