When run, the worm drops a copy of itself as "runouce.exe" into the <system folder>.
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and 8 it is "C:\Windows\System32".
Worm:Win32/Chir.D@mm modifies the following registry entry to ensure that its copy runs at each Windows start:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Runonce"
With data: "<system folder>\runouce.exe"
When run, Worm:Win32/Chir.D@mm searches for email addresses in all files on your computer's hard drive and any USB drives you have connected to your computer. It sends emails to these addresses, along with a copy of itself as an attachment with the file name "pp.exe".
The emails use the following format:
- Subject: <username> is coming!
- From (actual): <username>@btamail.net.cn
- From (disguised as): <username>@yahoo.com
- Attachment: pp.exe
Some variants of Worm:Win32/Chir.D@mm infect all executable (.EXE) and screen saver (.SCR) files on local and remote drives and network-shared folders. When these files are run, the worm's code will also run.
Related encyclopedia entries
Analysis by Justin Kim