Threat Center Threats Explained Threat Encyclopedia Threat Blog Security Tips Case Studies White Papers Newsletter Signup
 

Win32/Chir.A


Win32/Chir.A is a worm spreading as an email file attachment.  It has also the ability of a classical virus to infect executable or HTML files.  The worm is 10799 bytes in size.  It attacks computers using the operating system Windows 9x/ME/NT/2000/XP.

What Win32/Chir.A utilizes to spread via email is an incorrect MIME Header vulnerability in Microsoft Internet Explorer 5.01 and Microsoft Internet Explorer 5.5 allowing the executable file to run automatically without the user double-clicking on the attachment.  The vulnerability description is available at www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS01-020.asp.  A patch which secures against this vulnerability known from March 2001 is available for download at www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-027.asp.  Since this vulnerability utilizes a selection of known worms to spread it is very important to have the related patch downloaded and installed.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed.  Of course, this may differ from installation to installation.

The worm arrives in an email attachment as a file named p.exe.  The message comes from imissyou@btamail.net.cn or addressee_name@hotmail.com.  Win32/Chir.A replaces the string addressee_name with the real name of addressee who will receive the copy of the worm.  The subject of the message is "Hi, i am addressee_name".  In executing the file the worm is activated and copied into the file %windir%/System/runoune.exe.  The hidden, system and read-only attributes are set for this newly created file.  It ensures the activation of this copy after system rebooting by creation of the item Runonce in the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.  It sets its value to "C:\WINDOWS\SYSTEM\runouce.exe".



PROTECT YOUR COMPUTER!
ESETs NOD32 antivirus software provides comprehensive, easy-to-use, and affordable protection from todays and tomorrows threats. We put the malware expert inside the software, so you don’t have to become one.

DOWNLOAD ESET NOD32 ANTI VIRUS SOFTWARE

 

 
Top of Page Back One Page Print this Page