W32/Chode-B

Aliases	Backdoor.Win32.Landis.1121 WORM_CHOD.B W32.Chod.B@mm
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Email messages Email attachments Chat programs
Affected operating systems	Windows
Protection available since	20 April 2005 07:03:13 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Chode-B is a mass mailing worm with the IRC backdoor functionality for the Windows platform that spreads by sending itself to the Instant Messenger contacts using MSN Instant Messenger and to the email addresses harvested from the infected computer by searching files with the following extensions:

ADB, ASP, CGI, CTT, DBX, DHTM, DOC, EML, HTM, HTML, MSG, OFT, PHP, PL, RTF, SHT, SHTM, SQL, TBB, TXT, UIN, VBS, WAB, XML

W32/Chode-B skips the addresses that contains one of the next strings:

antivirus, avp, bitdefender, f-secure, mcafee, messagelabs, microsoft, spam, symantec

W32/Chode-B may arrive in email with the following characteristics:

From: chosen from

securityresponse@symantec.com
security@microsoft.com
security@trendmicro.com

Subject: chosen from

Your computer may have been infected
Warning - you have been infected!

Message text: chosen from

Your message was undeliverable due to the following reason(s):

Your message could not be delivered because the destination server was unreachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now.

Your original message has been attached.

Attached file: chosen from

netsky_removal.exe
removal_tool.exe
message.pif
message.scr

W32/Chode-B sends itself to the Instant Messenger contacts in the message with the following characteristics:

Message text: chosen from:

check out what I just found on some stupid website
dude check this out, it's awesome! :D
haha you have to see this, I almost couldn't believe it! :O
holy shit you have to see this... :|
I just found this on a CD... you won't believe it! :|
LOL! look at this, I can't explain it in words...
omg check this out, it's just wrong :O
ROFL!! you have to see this... wtf...
you have to see this, it freaked me out :S
you have to see this, it's amazing!

Filename chosen from the next followed by the SCR or PIF extension:

check this out
gross
my sister's webcam
mypic
naked lesbian twister
paris hilton
picture
rofl
us together
wtf

Once executed W32/Chode-B displays a fake error message titled "Run-time Error" with the message "Run-time error #7: Out of memory.", and at the same time copies itself with the filename csrss.exe to the created randomly named folder in the Windows system folder and puts a link to the copy into the Startup folder.

W32/Chode-B also creates cpu.dll file in the Windows system folder.

In order to be able to run automatically when Windows starts up W32/Chode-B also sets the registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
csrss
csrss.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
csrss
csrss.exe

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
csrss.exe

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
run
csrss.exe

W32/Chode-B creates csrss.dat and csrss.ini data files in the randomly named folder in the Windows system folder.

W32/Chode-B contains embedded a number of applications including next for retrieving passwords:

MessenPass
Protected Storage Pass View
Intelligent TCPIP.SYS patcher

W32/Chode-B tries to prevent access to a number of anti-virus and security websites from the next list by modifying the Windows HOSTS file:

avp.com
www.avp.com
ca.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
fastclick.net
ftp.f-secure.com
ftp.sophos.com
liveupdate.symantec.com
customer.symantec.com
rads.mcafee.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
secure.nai.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
support.microsoft.com
symantec.com
update.symantec.com
updates.symantec.com
us.mcafee.com
vil.nai.com
viruslist.com
www.viruslist.com
www.awaps.net
www.ca.com
www.f-secure.com
www.fastclick.net
www.mcafee.com
www.microsoft.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www3.ca.com
www.grisoft.com
grisoft.com
housecall.trendmicro.com
trendmicro.com
www.trendmicro.com
www.pandasoftware.com
pandasoftware.com
kaspersky.com
www.kaspersky.com
www.zonelabs.com
zonelabs.com
phpbb.com
www.phpbb.com
www.spywareinfo.com
spywareinfo.com
www.merijn.org
merijn.org

W32/Chode-B terminates a number of processes including those related to the various anti-virus and security applications.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Chode-B

Summary

Action

More Information