|
Summary of W32/Chir.A@mm |
| Alias: | Runouce, W32/Thecid.B@mm, W32.Chier@mm, I-Worm.Runouce,I-Worm.Win32.ChiHack |
| Discovered: |
1 Aug 2002 |
| Infection Method: | Infected e-mail attachments |
|
|
|
| Brief Description |
| W32/Chir.A@mm is an internet worm. When run it copies itself to the System Directory as Runouce.exe and modifies windows registry so it is run each time windows starts. |
| Technical Description |
The worm searches for HTML files in the users' hard drive and modifies them to launch the file README.EML, created in the same directory where the HTML is found.
The worm also sends e-mails in this format:
Subject:
From:
The worm spreads itself as an attachment named pp.exe with MIME type audio/x-wav.
It uses a static server to send messages through its own SMTP engine.
|
[Analysis: Ero Carrera ; F-Secure Corp.; August 1st, 2002] |
|
