Follow:

You have been re-routed to the Worm:Win32/Chir.D@mm write up because Worm%3aWin32%2fChir.D%40mm has been renamed to Worm:Win32/Chir.D@mm
 

Worm:Win32/Chir.D@mm


Microsoft security software detects and removes this threat. 

This email worm spreads as an attachment to an email. It can also spread via an infected network or removable drive, such as a USB flash drive. When you open the attachment or file, the worm will run.

The worm can also exploit a vulnerability discussed in Microsoft Security Bulletin MS01-020. This can allow the attachment to automatically open when the email is read or previewed on a vulnerable PC. You should download and use the latest version of Internet Explorer to avoid this vulnerability.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Update vulnerable applications

This threat exploits a known vulnerability in Internet Explorer. After removing this threat, make sure that you install any updates available from Microsoft. You can read more about this vulnerability, as well as where to download the software update from the following links:

Be careful when sharing files

Windows has a feature that lets you share files and folders on a network or shared PC. This feature is sometimes abused by malware to spread to other PCs within the network.

You can get more information and tips on how to share files safely from these pages:

You should turn off file sharing until you make sure that all infected PCs have been cleaned of any malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

When run, the worm drops a copy of itself as "runouce.exe" into the <system folder>.

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and 8 it is "C:\Windows\System32". 

Worm:Win32/Chir.D@mm modifies the following registry entry to ensure that its copy runs at each Windows start:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Runonce"
With data: "<system folder>\runouce.exe"

When run, Worm:Win32/Chir.D@mm searches for email addresses in all files on your computer's hard drive and any USB drives you have connected to your computer. It sends emails to these addresses, along with a copy of itself as an attachment with the file name "pp.exe".

The emails use the following format:

  • Subject: <username> is coming!
  • From (actual): <username>@btamail.net.cn
  • From (disguised as): <username>@yahoo.com
  • Attachment: pp.exe

Some variants of Worm:Win32/Chir.D@mm infect all executable (.EXE) and screen saver (.SCR) files on local and remote drives and network-shared folders. When these files are run, the worm's code will also run.

Variants of the worm may also drop a copy of the worm named "readme.eml" to folders containing webpage files (.HTM and .HTML). The worm adds JavaScript code to the webpage files which exploits the vulnerability discussed in Microsoft Security Bulletin MS01-020. This JavaScript code causes the webpage files to automatically run the "readme.eml" file when they are opened.

Related encyclopedia entries

Win32/Chir

Analysis by Justin Kim


Symptoms

The following could indicate that you have this threat on your PC:

  • An email in the following format:
    • Subject: <username> is coming!
    • From (actual): <username>@btamail.net.cn
    • From (disguised as): <username>@yahoo.com
    • Attachment: pp.exe
       
  • The presence of the following file:
      
    <system folder>\runouce.exe
     
  • The presence of the following registry modification:
     
    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Runonce"
    With data: "<system folder>\runouce.exe"

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.185.144.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Feb 01, 2008
This entry was updated on: Jul 21, 2014

This threat is also detected as:
  • Win32/Chir.B@mm (AVG)
  • W32.Chir.B@mm (Symantec)
  • W32/Chir.B (Avira)
  • W32/Chir-B (Sophos)
  • Worm.Chir!292A (Rising AV)
  • WORM_CHIR.DI (Trend Micro)