FRISK Software International


Summary of W32/Chet@mm
Alias:Chet, Anniv911, 11september, September11
Length: 26628
Discovered: 10 Sep 2002
Definition files: 10 Sep 2002
Risk Level: Low
Distribution:Low
Infection Method:Mass Mailing
Payload: If the infected computer has a modem the worm tries to call a predefined phone number. The number most likely a local number in some country. The owner of the number is unknown, so it the purpose of the call.
 
Jump to:
Brief description
Technical description

Brief Description

This mass-mailer worm was found on September 10th, 2002. As it contains serious bugs, this worm will fail to function on most systems and can not be considered to be a realistic threat at this time.

Many things inside the worm's code suggest that it originates from Russia.

The worm tries to spread via an attachment file called 11september.exe. When this file is executed, the worm will attempt to send an e-mail message to each address found from the Windows address book.



Technical Description

This mass-mailer worm was found on September 10th, 2002. As it contains serious bugs, this worm will fail to function on most systems and can not be considered to be a realistic threat at this time.

Many things inside the worm's code suggest that it originates from Russia.

The worm tries to spread via an attachment file called 11september.exe. When this file is executed, the worm will attempt to send the following e-mail to each address found from the Windows address book:

From: main@world.com
To: all-people-in-the-address-book
Subject: All people!!
Attachment: 11september.exe


Dear ladies and gentlemen! The given letter does not contain viruses, and is not Spam. We ask you to be in earnest to this letter. As you know America and England have begun bombardment of Iraq, cause of its threat for all the world. It isn't the truth. The real reason is in money laundering and also to cover up traces after acts of terrorism September, 11, 2001. Are real proofs of connection between Bush and Al-Qaeda necessary for you? Please! There is a friendly dialogue between Bin Laden and the secretary of a state security of USA in the given photos. In the following photo you'll see, how FBI discusses how to strike over New York to lose people as much as possible. And the document representing the super confidential agreement between CIA and Al-Qaeda is submitted to your attention. All this circus was specially played to powder brains!! You'll find out the truth. Naked truth, instead of TV showed.

For your convenience, and to make letter less, all documentary materials (photos and MS Word documents) are located in one EXE file. Open it, and all materials will be installed on your computer. You will receive the freshest and classified documents automatically from our site. It isn't a virus! You can trust us absolutely. We hope, that it will open your eyes on many things occurring in this world.


When Chet sends the infected messages it also collects information about the infected computer and the current user. All the collected data is sent to a predefined e-mail address to Russia.

System infection

When the worm is first executed on a computer it copies itself to the Windows System Directory as 'synchost1.exe'. This file is then added to the registry as

'HKLU\Software\Microsoft\Windows\CurrentVersion\Run\ICQ1'

Chet stores some of its internal data in a registry key:

'HKLU\DefaultLcid2'

After 13th of September, 2002 the worm commits suicide and removes itself from the infected computer.



[ Analysis: Gergely Erdelyi and Sami Rautiainen; F-Secure Corp; September 10-11, 2002]
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is