W32/Chode-C

Please follow the instructions for removing worms.

W32/Chode-C is a worm with IRC backdoor functionality.

W32/Chode-C attempts to spread via MSN Instant Messenger, by sending users a message "hey, is this you?" and a link. The link points to a copy of the worm.

When first run, the worm displays the following fake error message:

"Run-time error #7: Out of memory."

The worm includes backdoor functionality to do any of the following:

send emails
download updates
participate in denial-of-service attacks
steal passwords
disable anti-virus products
modify the system HOSTS file W32/Chode-C is a worm with IRC backdoor functionality.

W32/Chode-C attempts to spread via MSN Instant Messenger, by sending users a message "hey, is this you?" and a link. The link points to a copy of the worm.

When first run, the worm displays the following fake error message:

"Run-time error #7: Out of memory."

The worm includes backdoor functionality to do any of the following:

send emails
download updates
participate in denial-of-service attacks
steal passwords
disable anti-virus products
modify the system HOSTS file

When first run W32/Chode-C copies itself to a randomly named subfolder of the Windows system folder as csrss.exe. The worm may create a file <Windows system folder>\cpu.dll.

W32/Chode-C creates the following registry entries in order to run itself on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
csrss
<path to copy of worm>\csrss.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
csrss
<path to copy of worm>\csrss.exe

The worm creates the following further registry entries:

HKCU\Software\Chode
Installed
1

HKCR\Chode
Installed
1

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Run
<path to copy of worm>\csrss.exe

W32/Chode-C may drop any of the following applications, used in particular for stealing passwords:

MessenPass
Protected Storage Pass View
Intelligent TCPIP.SYS patcher