Win32/Chir [Threat Name] go to Threat
Win32/Chir.B [Threat Variant Name]
Category | trojan,virus |
Size | 6652 B |
Aliases | Email-Worm.Win32.Runouce.b (Kaspersky) |
W32/Chir.b@MM.virus (McAfee) | |
Virus:Win32/Chir.B@mm (Microsoft) | |
W32.Chir.B@mm (Symantec) |
Short description
Win32/Chir.B is a file infector.
Installation
When executed, the virus creates the following files:
- %system%\runouce.exe (10748 B, Win32/Chir.B)
In order to be executed on every system start, the virus sets the following Registry entry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "Runonce" = "%system%\runouce.exe"
The virus may create and run a new thread with its own program code within any running process.
Executable file infection
Win32/Chir.B is a file infector.
The virus searches local and network drives for files with one of the following extensions:
- .exe
- .scr
Executables are infected by appending the code of the virus to the last section.
The size of the inserted code is 6652 B .
It avoids files which contain any of the following strings in their path:
- winn
- wind
The host file is modified in a way that causes the virus to be executed prior to running the original code.
File infection
It infects the following files:
- .html
- .htm
The following file is created in the same folders:
- readme.eml (14848 B)
The virus writes the program code of the malware into the file.
The virus inserts a/an *.html, *.htm element with an link into the file.
The record executes the following files:
- readme.eml
Spreading via e-mail
Win32/Chir.B is a virus that spreads via e-mail.
E-mail addresses are searched for in files with one of the following extensions:
- .wab
- .adc
- r.bd
- .doc
- .xls
The sender address is one of the following:
- imissyou@btamail.net.cn
- %username%@yahoo.com
Subject of the message is one of the following:
- %username% is comming!
The attachment is an executable file of the virus.
Name of the attachment is one of the following:
- pp.exe
Other information
Win32/Chir.B is a virus that can interfere with the operation of certain applications.
If the virus finds a window of a running process which contains any of the following strings in its title:
- 发送消息
the virus changes the window title to:
- 枪毙李洪志!
- 去他妈的法轮功!
- 对邪教,缟锌蒲?
- 打倒本拉登!
- 向英雄王伟致意!
- 反对霸权主义!
- 世界需要和平!
- 社会主义好!
The virus may execute the following commands:
- Net Send * My god! Some one killed ChineseHacker-2 Monitor