W32.Chir@mm is a mass-mailing worm. It uses its own SMTP engine to send itself to email addresses. The SMTP server that the worm uses is a static one, which means that if a specific SMTP server is not running, the worm cannot spread.
The worm creates Runouce.exe (note the letter "u") in the %System% folder. Runouce.exe has the same form as the worm file that was originally received as an email attachment. The email message arrives with the following characteristics:
Subject: Hi, i am <username>
W32.Chir@mm also searches across the network and accesses files on other computers. However, due to a bug, these files are not modified in any way.
If you open the message in an unpatched version of Microsoft Outlook or Outlook Express, the attachment may be executed automatically. Information about this vulnerability and a patch are available at:
Definitions dated prior to June 11, 2002 will detect this as W32.Chier@mm.
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.