Discussion in 'malware problems & news' started by Marianna, Jun 13, 2002.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Apr 23, 2002
    B.C. Canada
    Name: W32/Chir-A
    Aliases: I-Worm.Runouce
    Type: Win32 worm
    Date: 13 June 2002

    A virus identity file (IDE) which provides protection is
    available now from our website and will be incorporated into the
    August 2002 (3.60) release of Sophos Anti-Virus.


    W32/Chir-A is an internet worm that tries to spread via email by
    sending itself to email addresses found in the Windows address

    The email will have the following characteristics:
    Sender address: @hotmail.com or iloveyou@btamail.net.cn
    Subject line: Hi,i am
    Attached file: p.exe

    The worm attempts to exploit a MIME and an IFRAME vulnerability
    in some versions of Microsoft Outlook, Microsoft Outlook
    Express, and Internet Explorer to allow the executable file to
    run automatically without the user double-clicking on the
    attachment. Microsoft has issued a patch which secures against
    this vulnerability which can be downloaded from Microsoft
    Security Bulletin MS01-027. (This patch was released to fix a
    number of vulnerabilities in Microsoft's software, including the
    one exploited by this worm.)

    When run the worm copies itself into the Windows system folder
    as runouce.exe (not runonce.exe) and sets the following registry
    entry so that the worm will be automatically started when
    Windows starts up:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Runonce =

    The worm also creates several EML files with the name
    .eml on network drives. These EML files contain a
    base64-encoded copy of the worm.

    Read the analysis at
Thread Status:
Not open for further replies.