Sophos

W32/Chode-A

Aliases
  • W32/NoChod@MM
  • WORM_CHOD.A
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Email messages
  • Email attachments
  • Peer-to-peer
Affected operating systems Windows
Protection available since 18 March 2005 13:54:15 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

W32/Chode-A is a complex worm with backdoor functionality for the Windows platform.

The worm spreads by emailing itself to email addresses harvested from the infected computer, using its own SMTP engine, and to IM contacts using MSN Instant Messenger.

W32/Chode-A also copies itself to the shared folders of popular peer-to-peer (P2P) file sharing utilities.

Once executed, W32/Chode-A creates a randomly named folder in the Windows system folder, and copies itself there with the filename csrss.exe.

W32/Chode-A also puts a shortcut to the csrss.exe file into the Startup folder, and may create the following files in the above mentioned randomly named folder:

csrss.dat
csrss.ini

In order to be able to run automatically when Windows starts up the worm sets the registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
csrss
"csrss.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
csrss
"csrss.exe"

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
load
"csrss.exe"

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
run
"csrss.exe"

W32/Chode-A also creates the following registry entries:

HKLM\SOFTWARE\Classes\Chode\
Installed
"1"

HKCU\Software\Chode\
Installed
"1"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
DisableRegistryTools
"1"

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
NoAdminPage
"1"

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer