Home / malware Worm:Win32/Chir.D@mm
First posted on 08 January 2013.
Source: MicrosoftAliases :
Worm:Win32/Chir.D@mm is also known as Win32/Chir.B@mm (AVG), W32.Chir.B@mm (Symantec), W32/Chir.B (Avira), W32/Chir-B (Sophos), Worm.Chir!292A (Rising AV), WORM_CHIR.DI (Trend Micro).
Explanation :
When run, the worm drops a copy of itself as "runouce.exe" into the <system folder>.
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and 8 it is "C:\Windows\System32".
Worm:Win32/Chir.D@mm modifies the following registry entry to ensure that its copy runs at each Windows start:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Runonce"
With data: "<system folder>\runouce.exe"
When run, Worm:Win32/Chir.D@mm searches for email addresses in all files on your computer's hard drive and any USB drives you have connected to your computer. It sends emails to these addresses, along with a copy of itself as an attachment with the file name "pp.exe".
The emails use the following format:
- Subject: <username> is coming!
- From (actual): <username>@btamail.net.cn
- From (disguised as): <username>@yahoo.com
- Attachment: pp.exe
Some variants of Worm:Win32/Chir.D@mm infect all executable (.EXE) and screen saver (.SCR) files on local and remote drives and network-shared folders. When these files are run, the worm's code will also run.
Variants of the worm may also drop a copy of the worm named "readme.eml" to folders containing webpage files (.HTM and .HTML). The worm adds JavaScript code to the webpage files which exploits the vulnerability discussed in Microsoft Security Bulletin MS01-020. This JavaScript code causes the webpage files to automatically run the "readme.eml" file when they are opened.
Related encyclopedia entries
Win32/Chir
Analysis by Justin Kim
Last update 08 January 2013
