1. Symantec/
  2. Security Response/
  3. W32.Chir@mm


Risk Level 2: Low

June 8, 2002
February 13, 2007 11:54:44 AM
Also Known As:
Systems Affected:

W32.Chir@mm is a mass-mailing worm. It uses its own SMTP engine to send itself to email addresses. The SMTP server that the worm uses is a static one, which means that if a specific SMTP server is not running, the worm cannot spread.

The worm creates Runouce.exe (note the letter "u") in the %System% folder. Runouce.exe has the same form as the worm file that was originally received as an email attachment. The email message arrives with the following characteristics:

From: <username>@hotmail.com or iloveyou@btamail.net.cn
Subject: Hi, i am <username>
Attachments: P.exe

W32.Chir@mm also searches across the network and accesses files on other computers. However, due to a bug, these files are not modified in any way.

If you open the message in an unpatched version of Microsoft Outlook or Outlook Express, the attachment may be executed automatically. Information about this vulnerability and a patch are available at:

NOTE: Definitions dated prior to June 11, 2002 will detect this as W32.Chier@mm.

Antivirus Protection Dates

  • Initial Rapid Release version June 8, 2002
  • Latest Rapid Release version December 30, 2017 revision 020
  • Initial Daily Certified version June 8, 2002
  • Latest Daily Certified version December 31, 2017 revision 008
  • Initial Weekly Certified release date June 8, 2002
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Cary Ng

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube