Name: W32/Chir-B Aliases: Win32/ChiHack, WORM_CHIR.B, I-Worm.Runouce.b Type: Win32 executable file virus Date: 6 August 2002 At the time of writing Sophos has received just one report of this virus from the wild. Description W32/Chir-B is an email worm, an EXE file infector and an HTM/HTML file infector. The worm component attempts to spread via email by sending itself to email addresses found in the Windows address book, plus addresses found in files matching *.adc, *r.db, *.doc, and *.xls. The email will have the following characteristics: From: <username>@yahoo.com or imissyou@btamail.net.cn Subject line: <username> is comming! Attached file: Name of infected file. The body of the email will be blank. The email contains the Iframe exploit and a MIME exploit to run the virus automatically when the email is viewed. When run the virus will copy itself into the Windows system folder as runouce.exe and sets the following registry entry to point to this new copy of the virus: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Runonce This will cause the virus to be started when Windows starts up. The virus continually monitors this registry entry so that any attempt to change or delete the entry will result in the entry being reset with the value described above. W32/Chir-B searches for HTM and HTML files on both the local system and network drives. If files of this type are found in a folder then a file named readme.eml is created in that folder and a line of HTML code is appended to the HTM and HTML files. This HTML code contains a short JavaScript component that is intended to open the file readme.eml. Readme.eml contains a base64 encoded copy of the virus. A second EML file with the same contents as readme.eml may also appear in folders on network drives. This file will have the filename <computername>.eml. The virus also infects Windows executables on both local and network drives but will not infect files in folders matching "wind*" or "winn*", including all sub folders of those folders. This means that files in folders with names such as Windows or Winnt will not be infected. W32/Chir-B employs a technique which will cause the virus to be restarted if its process is terminated. More information about W32/Chir-B can be found at http://www.sophos.com/virusinfo/analyses/w32chirb.html