high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 18 March 2005 13:54:15 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please contact technical support.
More Information
W32/Chode-A is a complex worm with backdoor functionality for the Windows platform.
The worm spreads by emailing itself to email addresses harvested from the infected computer, using its own SMTP engine, and to IM contacts using MSN Instant Messenger.
W32/Chode-A also copies itself to the shared folders of popular peer-to-peer (P2P) file sharing utilities.
Once executed, W32/Chode-A creates a randomly named folder in the Windows system folder, and copies itself there with the filename csrss.exe.
W32/Chode-A also puts a shortcut to the csrss.exe file into the Startup folder, and may create the following files in the above mentioned randomly named folder:
csrss.dat
csrss.ini
In order to be able to run automatically when Windows starts up the worm sets the registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
csrss
"csrss.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
csrss
"csrss.exe"
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
load
"csrss.exe"
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
run
"csrss.exe"
W32/Chode-A also creates the following registry entries:
HKLM\SOFTWARE\Classes\Chode\
Installed
"1"
HKCU\Software\Chode\
Installed
"1"
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
DisableRegistryTools
"1"
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
NoAdminPage
"1"
|
