high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 20 September 2005 21:03:28 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Chode-I is a messenger worm with IRC backdoor functionality for the Windows platform that spreads by sending itself to IM contacts using MSN Instant Messenger.
When first run W32/Chode-I copies itself to <System>\<random name>\kernel32.exe and creates the file <Temp>\temp.bat. Temp.bat is harmless bat file.
W32/Chode-I sends itself to IM contacts in the message with the following characteristics:
Message text chosen from:
Hej, did you download the new MSN yet? :D
lol check out MSN Plus...it ownz! :o
Automessage : Download MSN Plus:
lol, this is awsome...:|
Want more msn emotions? :D
MSN 8.0 Beta released....get it here :D
Hej, wanna update your Messenger :D ?
dude, this is awesome... a must see! :D
lol I just updated my Messenger and I must say IT ROCKS!!
Check this out mate, it roxxx :D !!
In order to be able to run automatically when Windows starts up W32/Chode-I also sets the registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
kernel32
<path to worm>
The worm changes the following registry entries:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\srsservice
Start
4
HKCU\Software\Microsoft\MessengerService
PassportBallon
4
W32/Chode-I terminates a number of processes including those related to various AV and security applications. The worm contains functions to perform DDoS (Distributed Denial of Service) attacks.
|
