W32/Chode-A is a complex worm with backdoor functionality for the Windows platform.
The worm spreads by emailing itself to email addresses harvested from the infected computer, using its own SMTP engine, and to IM contacts using MSN Instant Messenger.
W32/Chode-A also copies itself to the shared folders of popular peer-to-peer (P2P) file sharing utilities.
Once executed, W32/Chode-A creates a randomly named folder in the Windows system folder, and copies itself there with the filename csrss.exe.
W32/Chode-A also puts a shortcut to the csrss.exe file into the Startup folder, and may create the following files in the above mentioned randomly named folder:
csrss.dat
csrss.ini
In order to be able to run automatically when Windows starts up the worm sets the registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
csrss
"csrss.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
csrss
"csrss.exe"
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
load
"csrss.exe"
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
run
"csrss.exe"
W32/Chode-A also creates the following registry entries:
HKLM\SOFTWARE\Classes\Chode\
Installed
"1"
HKCU\Software\Chode\
Installed
"1"
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
DisableRegistryTools
"1"
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
NoAdminPage
"1"