Follow:

 

Win32/Chir


Microsoft security software detects and removes this threat.

Win32/Chir is a family of malware. It has both worm and virus components. The worm component spreads via email and spreads by exploiting the vulnerability resolved with the release of Microsoft Security Bulletin MS01-020. The virus component infects .EXE and .SCR files in local and remote drives. It's also been known to edit .HTM and .HTML files stored in your PC so that if these files are opened, the virus is run.



What to do now

The following Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Threat behavior

The Win32/Chir worm component spreads as an attachment to a spam email. Once run, it does the following:

  • Drops a file named runouce.exe to <system folder>, which might be a copy of itself
  • Creates the following registry value so that its dropped file automatically runs every time Windows starts:
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Runonce"
    With data: "<system folder>\runouce.exe"
  • Sends a copy of itself as an attachment to email addresses it finds on local and remote drives. The following are examples of the spam email it uses:
    Sender: <NetBIOS name of local computer>@hotmail.com
    Subject: Hi,i am <NetBIOS name of local computer>
    Attachment: p.exe

    Sender: imissyou@btamail.net.cn
    Subject: <NetBIOS name of local computer> is coming!
    Attachment: PP.exe

Win32/Chir runs when the user opens the email attachment. However, it can exploit the Incorrect MIME Header vulnerability discussed in Microsoft Security Bulletin MS01-020, which can automatically open an attachment if the HTML-formatted email is read or previewed.

The Win32/Chir virus component does the following on both local and remote drives:

  • Infects .EXE and .SCR files
  • Drops a file named readme.eml in folders containing .HTM or .HTML files; this file is a copy of the spam email sent out by the worm component
  • Adds malicious JavaScript to the end of each .HTM and .HTML mentioned previously; if you open the .HTM or .HTML files, the JavaScript causes the readme.eml file to automatically open if JavaScript is enabled on your PC.

Symptoms

The following could indicate that you have this threat on your PC:

  • You see this entry in your registry:
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Runonce"
    With data: "<system folder>\runouce.exe"
  • You receive an email with the following details:
    Sender: <NetBIOS name of local computer>@hotmail.com
    Subject: Hi,i am <NetBIOS name of local computer>
    Attachment: p.exe

    Sender: imissyou@btamail.net.cn
    Subject: <NetBIOS name of local computer> is coming!
    Attachment: PP.exe

Prevention


Alert level: High
This entry was first published on: Jun 03, 2006
This entry was updated on: Oct 09, 2013

This threat is also detected as:
No known aliases