Win32/Chir [Threat Name] go to Threat

Win32/Chir.B [Threat Variant Name]

Category trojan,virus
Size 6652 B
Detection created Aug 01, 2002
Signature database version 10469
Aliases Email-Worm.Win32.Runouce.b (Kaspersky)
  W32/Chir.b@MM.virus (McAfee)
  Virus:Win32/Chir.B@mm (Microsoft)
  W32.Chir.B@mm (Symantec)
Short description

Win32/Chir.B is a file infector.

Installation

When executed, the virus creates the following files:

  • %system%\­runouce.exe (10748 B, Win32/Chir.B)

In order to be executed on every system start, the virus sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Runonce" = "%system%\­runouce.exe"

The virus may create and run a new thread with its own program code within any running process.

Executable file infection

Win32/Chir.B is a file infector.


The virus searches local and network drives for files with one of the following extensions:

  • .exe
  • .scr

Executables are infected by appending the code of the virus to the last section.


The size of the inserted code is 6652 B .


It avoids files which contain any of the following strings in their path:

  • winn
  • wind

The host file is modified in a way that causes the virus to be executed prior to running the original code.

File infection

It infects the following files:

  • .html
  • .htm

The following file is created in the same folders:

  • readme.eml (14848 B)

The virus writes the program code of the malware into the file.


The virus inserts a/an *.html, *.htm element with an link into the file.


The record executes the following files:

  • readme.eml
Spreading via e-mail

Win32/Chir.B is a virus that spreads via e-mail.


E-mail addresses are searched for in files with one of the following extensions:

  • .wab
  • .adc
  • r.bd
  • .doc
  • .xls

The sender address is one of the following:

  • imissyou@btamail.net.cn
  • %username%@yahoo.com

Subject of the message is one of the following:

  • %username% is comming!

The attachment is an executable file of the virus.


Name of the attachment is one of the following:

  • pp.exe
Other information

Win32/Chir.B is a virus that can interfere with the operation of certain applications.


If the virus finds a window of a running process which contains any of the following strings in its title:

  • 发送消息

the virus changes the window title to:

  • 枪毙李洪志!
  • 去他妈的法轮功!
  • 对邪教,缟锌蒲?
  • 打倒本拉登!
  • 向英雄王伟致意!
  • 反对霸权主义!
  • 世界需要和平!
  • 社会主义好!

The virus may execute the following commands:

  • Net Send * My god! Some one killed ChineseHacker-2 Monitor

Please enable Javascript to ensure correct displaying of this content and refresh this page.