W32/Chode-E

Please follow the instructions for removing worms.

Please contact technical support.

W32/Chode-E is a worm with IRC backdoor functionality.

W32/Chode-E attempts to spread via MSN Instant Messenger, by sending users a message "hey, is this you?" and a link. The link points to a copy of the worm.

The worm includes backdoor functionality to do any of the following:

send emails
download updates
participate in denial-of-service attacks
steal passwords
disable anti-virus products
modify the system HOSTS file

When first run W32/Chode-E copies itself to a randomly named subfolder of the Windows system folder as csrss.exe.

W32/Chode-E creates the following registry entries in order to run itself on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
csrss
<path to copy of worm>\csrss.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
csrss
<path to copy of worm>\csrss.exe

The following registry entry is set, disabling the registry editor:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

W32/Chode-E sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
NoAdminPage
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden
0

Registry entries are created under:

HKCU\Software\Chode\
HKCR\Chode\

W32/Chode-E may drop any of the following applications, used in particular for stealing passwords:

Protected Storage Pass View
Intelligent TCPIP.SYS patcher

Intelligent TCPIP.SYS patcher can be used to modify TCPIP.SYS on Windows XP with service pack 2 so that more than 10 queued TCP connection attempts are allowed at one time.