Win32/Chir [Threat Name] go to Threat

Win32/Chir.B [Threat Variant Name]

Category	trojan,virus
Size	6652 B
Aliases	Email-Worm.Win32.Runouce.b (Kaspersky)
	W32/Chir.b@MM.virus (McAfee)
	Virus:Win32/Chir.B@mm (Microsoft)
	W32.Chir.B@mm (Symantec)

Win32/Chir.B is a file infector.

When executed, the virus creates the following files:

In order to be executed on every system start, the virus sets the following Registry entry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "Runonce" = "%system%\runouce.exe"

The virus may create and run a new thread with its own program code within any running process.

Win32/Chir.B is a file infector.

The virus searches local and network drives for files with one of the following extensions:

Executables are infected by appending the code of the virus to the last section.

The size of the inserted code is 6652 B .

It avoids files which contain any of the following strings in their path:

The host file is modified in a way that causes the virus to be executed prior to running the original code.

It infects the following files:

The following file is created in the same folders:

The virus writes the program code of the malware into the file.

The virus inserts a/an *.html, *.htm element with an link into the file.

The record executes the following files:

Win32/Chir.B is a virus that spreads via e-mail.

E-mail addresses are searched for in files with one of the following extensions:

The sender address is one of the following:

Subject of the message is one of the following:

The attachment is an executable file of the virus.

Name of the attachment is one of the following:

Win32/Chir.B is a virus that can interfere with the operation of certain applications.

If the virus finds a window of a running process which contains any of the following strings in its title:

the virus changes the window title to:

The virus may execute the following commands: