When an infected file is run, the virus finds the memory location of kernel32, and the location of its GetProcAddress function. After that, the virus collects the addresses of all the other required APIs. It creates the mutex “ChineseHacker-2”, and then runs the original program.
Using a decompressed clean dummy Win32 PE file, that the virus carries along within its code, Virus:Win32/Chir.B@mm creates an infected file called “runouce.exe” in the System folder. The created file is marked as system, hidden and read only.
It modifies the following registry entry so that it runs each time you start your PC:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Runonce"
With data: ”<system folder>\runouce.exe”
The virus monitors the registry entry listed above, and recreates it if it is deleted.
This virus searches for targets on all mapped drives, from C: to Z:, and in all directories, but it avoids folders with names starting with “wind” or “winn” in an attempt to avoid Windows or WinNT folders. If a file found has an .exe or .scr extension, the virus infects it by appending its code and modifying the Entry Point, in order to intercept control when the file is executed.
Note: Due to a bug, many targeted files will not work after infection because of the size truncation.
If a file has an extension .htm or .html, the virus does two things:
- Creates the file “readme.eml” in the target directory
- Apends a short Java script which launches “readme.eml” when a target HTML is loaded.
The virus attempts to exploit the vulnerability addressed by Security Bulletin MS01-020 by using a specially crafted MIME format in order to automatically execute embedded virus code.
Virus:Win32/Chir.B@mm attempts to spread through all available open shares, located by enumerating network resources. When doing so, it infects files using the aforementioned method. Additionally, it drops a file called “<attacking computer name>.eml”.
This threat doesn't rely on any email client in order to send email. It uses its own SMTP engine, connecting to an SMTP server located in China.
The virus searches for target email addresses in the Windows Address Book (*.wab) and also in files matching the following criteria:
When an e-mail address is found, the virus sends an e-mail with the following details:
From: <infected sender's computer name>@yahoo.com
Subject: <infected sender's computer name> is coming!
When the virus is run on the first day of a month, the files that are scanned for e-mail addresses (*.adc, *.xls , *.doc , *r.db) will have their first 4660 bytes overwritten with random junk.
Displays messages to Chinese users
This virus contains code that targets Chinese users - it looks for a window titled: 发送消息 (Send message). If successful, the virus sends a series of Chinese messages to that window, which vary from statements promoting peace (世界需要和平!) to those condemning dictatorship (反对霸权主义! ), to praising socialism (社会主义好!).
Once a minute, Virus:Win32/Chir.B@mm sends a network message to everyone on the same network: “My god! Some one killed ChineseHacker-2 Monitor”.
Sometimes the displayed message will read“My god! Some o~e killed ChineseHacker-2 Monitor”
Analysis by Jakub Kaminski