Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically



Win32/Chir.A is a worm spreading as an email file attachment.  It has also the ability of a classical virus to infect executable or HTML files.  The worm is 10799 bytes in size.  It attacks computers using the operating system Windows 9x/ME/NT/2000/XP.

What Win32/Chir.A utilizes to spread via email is an incorrect MIME Header vulnerability in Microsoft Internet Explorer 5.01 and Microsoft Internet Explorer 5.5 allowing the executable file to run automatically without the user double-clicking on the attachment.  The vulnerability description is available at bulletin/MS01-020.asp.  A patch which secures against this vulnerability known from March 2001 is available for download at  Since this vulnerability utilizes a selection of known worms to spread it is very important to have the related patch downloaded and installed.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed.  Of course, this may differ from installation to installation.

The worm arrives in an email attachment as a file named p.exe.  The message comes from or  Win32/Chir.A replaces the string addressee_name with the real name of addressee who will receive the copy of the worm.  The subject of the message is "Hi, i am addressee_name".  In executing the file the worm is activated and copied into the file %windir%/System/runoune.exe.  The hidden, system and read-only attributes are set for this newly created file.  It ensures the activation of this copy after system rebooting by creation of the item Runonce in the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.  It sets its value to "C:\WINDOWS\SYSTEM\runouce.exe".

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.