1. Symantec/
  2. Security Response/
  3. W32.Chir@mm

W32.Chir@mm

Risk Level 2: Low

Discovered:
June 8, 2002
Updated:
February 13, 2007 11:54:44 AM
Also Known As:
W32.Chier@mm
Type:
Worm
Systems Affected:
Windows

W32.Chir@mm is a mass-mailing worm. It uses its own SMTP engine to send itself to email addresses. The SMTP server that the worm uses is a static one, which means that if a specific SMTP server is not running, the worm cannot spread.

The worm creates Runouce.exe (note the letter "u") in the %System% folder. Runouce.exe has the same form as the worm file that was originally received as an email attachment. The email message arrives with the following characteristics:

From: <username>@hotmail.com or iloveyou@btamail.net.cn
Subject: Hi, i am <username>
Attachments: P.exe

W32.Chir@mm also searches across the network and accesses files on other computers. However, due to a bug, these files are not modified in any way.



If you open the message in an unpatched version of Microsoft Outlook or Outlook Express, the attachment may be executed automatically. Information about this vulnerability and a patch are available at:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

NOTE: Definitions dated prior to June 11, 2002 will detect this as W32.Chier@mm.

Antivirus Protection Dates

  • Initial Rapid Release version June 8, 2002
  • Latest Rapid Release version September 28, 2010 revision 054
  • Initial Daily Certified version June 8, 2002
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date June 8, 2002
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Cary Ng

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube