FRISK Software International


Summary of W32/Chir.A@mm
Alias:Runouce, W32/Thecid.B@mm, W32.Chier@mm, I-Worm.Runouce,I-Worm.Win32.ChiHack
Discovered: 1 Aug 2002
Infection Method:Infected e-mail attachments
 
Jump to:
Brief description
Technical description

Brief Description
W32/Chir.A@mm is an internet worm. When run it copies itself to the System Directory as Runouce.exe and modifies windows registry so it is run each time windows starts.


Technical Description
The worm searches for HTML files in the users' hard drive and modifies them to launch the file README.EML, created in the same directory where the HTML is found.
The worm also sends e-mails in this format:

Subject:
From:

The worm spreads itself as an attachment named pp.exe with MIME type audio/x-wav.

It uses a static server to send messages through its own SMTP engine.


[Analysis: Ero Carrera ; F-Secure Corp.; August 1st, 2002]
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is